I have a web site that has a company intranet located inside a password-protected folder. The userid and password are good (i.e., not “password”, not easily guessed). So far, the intranet content hasn’t been too sensitive–mostly just to-do lists and appointment schedules. But we’re thinking about putting our shared Contact info. up there. It’s just names, addresses, phone numbers, e-mail addresses–not credit cards or SSNs or anything. But still not anything we necessarily want falling into anybody’s hands, getting our clients annoyed, etc.
My question: How safe is a password-protected directory, really? I’m using shared web space from a large ISP, using a Microsoft Server.
How are you implementing the password protection? Are you using windows authentication and changing the folder permissions to prevent IIS from serving files from those folders without a non-IUSR login? Or are you handling the password check within your ASP files? If the latter, is the login just on retrieving the index file, or does each individual file check authentication?
There are many ways to handle password protection. If you can use the windows-level permissions, it’s pretty secure. If you’re using code-level checks, it may be secure or very insecure depending on how it’s implemented.
No, though I’ve done that before in other cases (ASP authentication for every sensitive page; the whole single/double quotes replacement deal to stave off SQL injection attack, etc.). But I always assumed the ASP way was not super-strong, even when implemented as best as possible. Followup question, then–how strong is my security when using ASP authentication for every page?
If you’ve turned off anonymous access in IIS and require windows authentication, that should be secure. You have an option of basic authentication where it says the passwords are sent in clear text or integrated windows authentication. The latter option may put limitations on what users can hit the system (must run IE, etc.). I do not closely follow the security reports in this area, but I don’t recall seeing any exploits against this authentication. But I also don’t use it anywhere, so I’m not trying to play the expert. I use file-level security extensively on Unix/Linux servers, but I’ve only used ASP-level authentication on IIS.
The logins implemented at the ASP level should be secure as long as you protect every page. I’ve seen them done where the ASP only checked your login to show the main navigation page, but you could manually enter URLs and get past the authentication. However, if you check on every page (typically using an include file that checks a login status from a cookie or session variable) you’re relatively secure. If you have static content like images and PDFs to protect, you can put those in another directory which is non-browsable by IIS and use a file system read to echo the contents to the user. This protects things like PDF and document files by hiding them behind an ASP page which can check login and then proxy the file contents (not just redirect).