How to create a Secure Website - Can anyone give me some pointers?

I'd like to create a secure website. By that I mean (because I might be using the term incorrectly) one where certain content is only accessible to authenticated users. Ie you need to log in and once you have done so you get to see stuff that Joe Bloggs couldn't.

The website isn't going to do anything like online transactions - but within reason I would like to do as good a job as possible, so that I might confidently put semi-personal info on there in privacy.

My problem is that I don't really know enough about the subject (mechanics of it) to know what I need to look up.

The site is going to be sit on IIS6, I'm expecting to have to use some sort of CGI language (again could have wrong term). I've done a lot of simple stuff (db access etc) in Perl but I'm expecting the answer to probably involve PHP or possibly something like ASP (or whatever M$'s latest equivalent is .NET?).

If anyone can understand my question and give me some pointers or an explanation of the mechanics of the solution that would make me a happy bunny.

TIA

Big old subject

Starting with the simplest bit, securing the comms between the server and the host; this is fairly easily addressed with an SSL certificate. Note that all this does is encrypt the data stream between the server and the host so as to prevent interception. Note that you don't need a paid for cert for this - a free one from (eg http://www.cacert.org/) is exactly as secure as one from Thawte or Verisign - the only advantage these provide is that they independently verify the source of the content, ie. they guarantee that the server you're talking to is the one it says it is. In your case you already know you are who you say you are so this aspect is unnecessary.

With an IIS server your simplest answer is to apply Windows permissions to the directory holding the files (or the files themselves), create a Windows user account on the server (or in the Active Directory if applicable) and within the IIS MMC control applet and within the actual file permissions in the folder structure (ie. the back end file system) you can control access. This is likely to be more secure than a hand coded ASP password entry system.

If the data is not held in flat files but within a database then your security must include that; this all depends on the database in use but with SQL your first priority is to make sure you don't have a blank "SA" password, and to patch it thoroughly and very regularly thereafter.

A combination of deterrents is best. A straightforward simple one is to make sure your site structure is hidden and your secret squirrel stuff is not linked to. Ie. put your secret stuff at www.yourhost.com/secretsquirrel and don't have any page linking to files within the secretsquirrel directory, you'll have to manually enter the URL whenever you want to go there. Also make sure your IIS service is set up to not list files in a directory when no file is specified but to return an error. I'm pretty certain IIS6 has this set by default though.

EDIT:

Just re-read your brief and it appears you're not necessarily looking for restricted access to one area but rather one area that displays different content depending on your logon name. In that case, firstly be aware that this is more difficult to secure well, it largely depends on the perceived tenacity and competence of those you expect to attempt to break the security. In this instance you might want to look at some freebie open source PHP based content management systems/portals. Systems like Mambo, PHPNuke and PostNuke are all worth looking at - these are simply a boat load of PHP scripts tied to a mySQL back end and sit very nicely on IIS servers.

Sounds like .php is the way to go.

Try an OpenSource CMS project (xoops/Drupal/Joomla/Mamba etc) as a good start as most of the coding is done for you and there's good community support with all of them. However, most folks run these with MySQL databases on linux servers.

Does it have to be ISS?

Thanks for the responses peeps.

The site is going to be pretty basic. The number of pages probably won't exceed 20 - but I would like say 15 of them to only be available to an authenticated use. But it will 'only' be as complicated as if you're logged in you can see it all, if you're not you get the 1st 5 pages only.

I don't really expect it to get attacked\broken. For the inital site (the one that prompted me to look into this) it really wouldn't matter if it did. But if I can get my head round this then I can see more uses for it and it would be cool to do something for just me in the future so I could put a load of personal reference stuff up that is more easily accessible that using FTP or RDP.

I'd like to create the solution myself so that I've learned something. If I 'needed' a big\proper solution I woudl follow the advice of the pre done stuff (though I'd probably have just used something like Windows Sharepoint Services).

Does it have to be IIS? If it really mattered no - but this is a personal project and I'd rather have it on a platform I understand. If I was Linux\Unix familiar and knew Apache I'd be in a different job and earning more money . As it is I'm a M$ monkey.

I found this page http://www.devarticles.com/c/a/PHP/C...-Login-Script/ in my searching. It seems to cover a lot of what I think I want. I'm just not quite sure how it plugs into things in the grand scheme of things.
I think that I need to:
* Create a login form - have certain info sent from that (ideally over HTTPS to actaully be secure but I'm not actually that fussed)
* Use some of the code shown to check this info against some stored in a MySQL db in an encrypted fashion (which is again good practise tho' a step more than I actually need)
* For each page I create have it run another bit of the code which checks (somehow - sessions and stuff I don't quite get) that the user is logged in - if they are it processes and present the page - if it doesn't dumps them out to a login page.

That mostly makes sense. The whole sessions and cookies thing appears to be black magic to me though.

I'd definitely look at one of those open CMS projects, as Jabba says, it's not really taking power out your hands (I know the feeling of wanting to know how stuff works from the ground up rather than just take a pre-programmed solution) as all they are is a bunch of PHP scripts hooking to a back end DB, you're more than able to hack about with the scripts directly, and if you know a smattering of Perl then you'll be able to understand what's going on.

I'd forgotten about Xoops, used that one some time back and liked it. mySQL will sit happy on Windose too so no worries with that. Know what you mean about the Windows/Linux thing; I'm the same, I know I could potentially get better results with Linux but I also know that with my knowledge I'll generally get a decent working solution together much quicker with Windows.

[SoulKiss]

Quote:

Originally Posted by 2mths

Thanks for the responses peeps.

The site is going to be pretty basic. The number of pages probably won't exceed 20 - but I would like say 15 of them to only be available to an authenticated use. But it will 'only' be as complicated as if you're logged in you can see it all, if you're not you get the 1st 5 pages only.

I don't really expect it to get attacked\broken. For the inital site (the one that prompted me to look into this) it really wouldn't matter if it did. But if I can get my head round this then I can see more uses for it and it would be cool to do something for just me in the future so I could put a load of personal reference stuff up that is more easily accessible that using FTP or RDP.

I'd like to create the solution myself so that I've learned something. If I 'needed' a big\proper solution I woudl follow the advice of the pre done stuff (though I'd probably have just used something like Windows Sharepoint Services).

Does it have to be IIS? If it really mattered no - but this is a personal project and I'd rather have it on a platform I understand. If I was Linux\Unix familiar and knew Apache I'd be in a different job and earning more money . As it is I'm a M$ monkey.

I found this page http://www.devarticles.com/c/a/PHP/C...-Login-Script/ in my searching. It seems to cover a lot of what I think I want. I'm just not quite sure how it plugs into things in the grand scheme of things.
I think that I need to:
* Create a login form - have certain info sent from that (ideally over HTTPS to actaully be secure but I'm not actually that fussed)
* Use some of the code shown to check this info against some stored in a MySQL db in an encrypted fashion (which is again good practise tho' a step more than I actually need)
* For each page I create have it run another bit of the code which checks (somehow - sessions and stuff I don't quite get) that the user is logged in - if they are it processes and present the page - if it doesn't dumps them out to a login page.

That mostly makes sense. The whole sessions and cookies thing appears to be black magic to me though.

Stick Ubuntu Server on it and you will have a fully working LAMP enviroment from which to get out of the monkey cage and stop earning peanuts and bananas

Go on - you know it makes sense :P

[timwilky]

authentication is a real big issue. firstly do you wish to authenticate for security purposes or simply to direct appropriate content.

At its simplest you can just use a username/password combination and then use some validation script on your sever. However, even if you encrypt the password before sending it. It is still hijackable. Therefore you need to use public/private keys.

I provide on one of my applications x509 client certificates to authenticate my end users. That way they need not enter any information see http://www.urec.cnrs.fr/Distributions/modXLdapAuth/