Site Security Planning
Site Security Planning |
|
Security plans and policies are effective only to the extent that they anticipate and counter potential threats. Establish a policy to periodically review your security plan, in light of changes in your organization’s business practices.
New ways of using the Web, such as connecting your Web users to your organization’s databases, will incur new vulnerabilities to threats—on your intranet and over the Internet. The scripts used to activate Web pages with database information contain code needed to open and query these databases. You will need to revise your security plan, in order to establish policies and practices that prevent unauthorized access to your proprietary Web application scripts (For an example, see the sidebar “Who Is Reading Your Server-Side Scripts?”).
| Who Is Reading Your Server-Side Scripts?
At some point in the near future you will probably want to provide your users with access to your server data over the Internet. You can accomplish this by writing scripts in ASP pages on the Windows® 2000 platform, utilizing the IIS 5.0 online product documentation as a resource. Browser users cannot view your scripts by viewing the page source, because the server-side scripting was removed before the page was sent to the browser. However, you will compromise the security of your server-side scripts if you allow browsing of directories containing scripts in ASP pages, or server-side includes containing collections of script fragments. Here are some common mistakes to avoid:
To prevent users from downloading copies of any of these file types, establish and enforce a policy of always keeping them in directories that disallow directory browsing. |