Hi, all - I've just finished moving my site from Intermedia, where I'd had it for ~5 years or so. While I'm pleased with my choice in most regards, there are a couple of security points where I feel Intermedia was superior, and I'd feel better if I felt these issues were considered. Basic security philosophy would require minimizing the surface area exposed to attacks. One obvious aspect would involve allowing users to completely disable the ftp server to an account via the control panel. Except for occasional administrative tasks, I have no need whatever for ftp. Having it permanently enabled unnecessarily exposes the site. A second aspect would involve the permanently enabled state of FrontPage authoring capability, when FrontPage extensions are installed. It should be possible, again via the control panel, to disable frontpage authoring. As it stands, a single guessed password completely exposes the site. Like I said, I'm happy with the service, but these are serious concerns. Security has a nasty habit of being a priority after the fact; it'd be nice if these potential holes were fixed BEFORE someone was victimized.
If you think about it, disabling FTP or FrontPage authoring would not prevent any problems created by a guessed password. A weak password exposes your site regardless of what services are enabled. Anyone who could guess your password to gain FTP access would also be able to log into Control Panel and access every aspect of the account (including enabling FTP access and FrontPage authoring, assuming they were customer controllable). As you are no doubt aware, there are countless ways into a site through third party applications, insecure code, SQL injections, etc. Virtually every exploited site case that we see can be traced back to entry through a web browser, exploiting a security hole in an application or piece of code. We take every necessary security precaution as far as the network and servers are concerned, but I do not think that we will be offering the option of disabling FTP or FrontPage authoring permissions. mjp --- DiscountASP.NET
I'm aware of the risks via the Control Panel. The point of disabling authoring and ftp access is that it would prevent exposure via users of the site. As it stands, all that's required is knowledge of the site URL, not the host's Control Panel URL. And a lucky guess of a password, which, as you note, wouldallow accessvia the Control Panel as well. Just thought I'd throw it out there.
I also moved from ASP to ASP.NET. Used to create commerce sites with it and XML, CIMTEK, Distributorder, MedicalBuyer, etc. First hosted my own ASP sites with Burlee, then Interland, which sold out to web.com Funniest thing I remember working with FrontPage extensions, for Interdev... "Netscape developers are weenies" If you never saw that, it was in the root FrontPage site DLL. 2 funny, especially now. Working in ASP.NET 1.0 for Siemens I also had to do some things in ASP v3, with the server directives. Nowadays I still do some legacy tasks in ASP, so simple and straigthforward, to me anyway. But for the most part I'm glad to see the changes that have come to ASP.NET now. On the top of my list would have to be the 2-way data connections, while we still live in a stateless world. If we would have ever gotten that back in the ASP/XML only days, well, it would have been a dream. The site I have hosted with DASP currently mixes the latest ASP.NET code and a good mixture of ASP v3. Salute, Mark
If you are concerned about security, please do not use FrontPage extension. Although MSFT never admit it, we have seen so many security problem w/ FP. I have worked in the industy for over 10 years and I have yet to see a security breach over FTP (brute force). The most common security breach I have seen are 1) Through their web application. If you use off the shelf app that you download off the internet and if there's a hole w/ the app, hacker can simply search in google for whoever using the app and hack into your site through that hole. 2) Virus on client computer that steals password. Bruce DiscountASP.NET www.DiscountASP.NET
Harvey have you considered moving away from FrontPage? You'll get a lot of friendly help here for the new .NET Framework v3.5 security measures. There are some exciting technology changes going on right now. Salute, Mark
Hi, Mark - Actually, I just moved to .NET 2.0 from old-school ASP. That was what prompted my move from Intermedia - their support of the newertechnology was really, really poor. As it is now, the only thing I use FrontPage extensions for is updating the site! It's faster than FTP and plays nice with Expression Web. I was thinking of just un-installing them...
Hi, Bruce - Yeah, I don't have any specific instance or exploit I can point to. I just noted the difference in Control Panel capabilities and started ruminating.
