Website Security (.htaccess, etc)

I’m a webmaster by default… meaning I don’t know anything, but the nothing I know is, far and away, more technical than the nothing that everyone else at the office knows.

So, I’m the guy.

I need to create a website that requires login to use. I understand (in theory) that I can use .htaccess files to do this, but I’m not 100% clear on the how. Plus, my info (from a tutorial at WebMonkey) requires me to build userlists in files located in /etc, and my company’s website is hosted on our webhost’s NT Server.

See my problem?

Can someone recommend a book, offer advice, recommend an online resource, recommend some cheap or free software, or offer to help me for free? :smiley:


Just ran across this the other day. Hope it helps.

The basics, which I’m not sure are outlined all that well in that tutorial, are:

  1. create an .htaccess file which specifies that you want to require authorization and that the authorization should be checked against some file in the current directory, such as .htpasswd.
  2. log into the web server and create the .htpasswd file using the “htpasswd” utility, adding a password for each user.

This is the simplest way, and it’s got its drawbacks, but it’ll get you started. The passwords are effectively sent as cleartext, and setting it up so that users can change their own passwords can be a nuisance. There are various different authentication types you can plug into this.

Actually, on review of your OP, it’s not clear what web server you’re using. The above is for apache and derivative servers, whereas if you’re using IIS on NT, the method is totally different. If you’re using IIS, it’s actually quite a bit easier to tie it to NT user access – you just change the properties on the folder in the IIS admin tool such that only a particular set of users or groups is allowed access.

Some other things you should do:

  1. Disable all services on the Web server that is not needed. Services such as telnet and ftp will be potential security holes, so if you have no use for them, disable them.

  2. Use Apache 2.0, not IIS – IIS is just one big security problem

  3. Disable remote access, unless the machine is hosted at a colocation company

  4. Backup

  5. Install all security patches