Summary
That concludes our discussion on ASP security. We have seen how Windows NT, IIS 4.0 and ASP cooperate together to provide us with a comprehensive set of key software technologies enabling:
-
Secure exchange of information over public networks
-
Access control to server resources
-
Confident identification of client and server
The Microsoft Windows NT platform with IIS 4.0 forms a good secure foundation, and a flexible architecture, allowing the new emerging security standards to be easily incorporated into our web sites later—with minimum investment impact. This is vital, as there are likely to be many future changes in this area. Just on the horizon, the following are known to be on the way:
-
Active Directory Services—the next version of NTDS is expected to provide user identification for NT logon simply by the presentation of a digital certificate.
-
Secure Electronic Transactions (SET)—a set of standards designed to handle secure payment over the Internet, using cryptography and digital certificates. Information is only made available on a need-to-know basis, e.g. user's bank details are not exposed to the merchant.
-
Portable Electronic Wallets—a digital version of a wallet or purse, storing all our personal information for payment (i.e. credit and debit card details) and access control and identification (i.e. digital certificates). This information will be portable by means of floppy disks or smartcards.
-
Secure Channel Services—support for a new protocol Transport Layer Security (TLS) that is the unification of Microsoft's PCT and Netscape's SSL.
Finally, remember that the weakest link is usually the administrator. These security technologies will only work if they have been configured correctly and all security holes are filled. If not there is always one smart person who will find a way to get through.
© 1998 by Wrox Press. All rights reserved.