Securing Your Web Pages
Home Product Details Free Demo Pricing & Ordering Related Products Support About Us

Back to all documents

Securing your Web Pages

Introduction

    If you have an existing website or webpage (herein referred to 'website') or plan on creating one, then if you plan on exposing it on the Internet then you will most likely need some form of security to prevent it from being used/accessed by people with no authority. This may also be true if your website will be accessible on your intranet only.

    There are many ways in which a website can be secured. There are many 3rd-party tools available to also strengthen the security of a website/web server. This paper will show you how to use Microsoft IIS and its built in security to ONLY ALLOW people with the appropriate login abilities to access your website.

    This paper will not discuss the details of Windows file security or Microsoft IIS security as that is beyond the scope of this paper.

Who should read this paper

    Anybody who has or is thinking of developing a web-based application.

    There are no pre-requisites, however some knowledge of Windows file security would be useful, but not required.

Different ways of securing your website/web pages

    There are many ways in which you can secure your website. The first is to REQUIRE thhat your web-visitors login to the system.

    IIS can be configured to allow anonymous users and/or authenticated users.

    Windows File security (the NTFS file system) also has file permissions where you can secure which user(s)/group(s) have access to particular files. These settings ultimately override those security settings within IIS allowing you to fine-tune "who has access to what".

    There are also other 3rd party tools out there that can enhance or replace the security settings offered by Windows NTFS file system and IIS.

    One other method that is worth a mention is "you". You can create your own form of security by creating a login-based system or other kind where your ASP.NET, ASP or PHP pages contain your own code to validate and access/deny users to resources.

Securing your website/web pages in IIS

    In this section we will look at just a couple of the options available in IIS 5 for securing your website. We will also look at applying NTFS file permissions also.

    First: understanding the location of your website files

      In IIS, the default location of the web pages is in the following folder:
      C:\INETPUB\WWWROOT\

      Now it is very easy to add folders and sub-folders etc. within this location. You can also have web-pages at completely other locations on other drives (using Virtual Directories).

    Next: determining your volume file system

      If you wish to use NTFS file security (recommended) then you MUST have a drive that uses NTFS. Here's how to find out:

      • Open My Computer
      • Highlight the drive that contains your files
      • Right-click on that drive and Choose Properties
      • The File System type should be shown at the top of the General tab.

    Securing files with NTFS

      Securing a file with NTFS permissions is really easy.

      • Simply locate the file/folder and then right-click on it/them.
      • Open their properties and you should see a Security tab.
      • In this screen, you can pick the user(s)/groups(s) and specify the permissions they have on the file.

      When you apply security permissions on a file, any users on the internet who request that file will be required to provide their login information to access that file. This will happen regardless of the IIS configuration.

    Securing IIS

      There are many, many options within IIS that can secure the website. This paper will cover just a few of them in minor detail. Please refer to the Microsoft IIS documentation for detailed information.

      Open IIS. Here is a picture of IIS below:

      In the above screenshot I have expanded & highlighted my web site (Default Web Site). Beneath the web site you can see the Virtual Directories.

      Simply click on either the Default Web Site or the Virtual Directory where your files exist. We are going to limit access to the website to authorized users ONLY and prevent anonymous users accessing the site.

      Right-click on the Web Site or Virtual Directory and open its Properties. A window similar to the one below should open:

 

      Click on the Directory Security tab:

      Now click on the EDIT button:

      Disable/Uncheck the top option so that "Anonymous access" is prohibited.

      Make sure that the bottom checkbox "Integrated Windows authentication" is checked and active!

      Click the OK button on each screen until you are back at the main IIS window.

Conclusion

    Indeed there are many ways in which you can secure your website/pages. This paper has outlined just a few of the many options available.

Questions or comments about this paper? email us

Copyright Software Toolbox, Inc., 1996-2004, All Rights Reserved Worldwide.
148A East Charles Street, Matthews, North Carolina, USA 28105
Phone: 704-849-2773 or 1-888-665-3678 (US), Fax: 704-849-6388
sales@softwaretoolbox.com | support@softwaretoolbox.com