Hi all,
I found this in Front Page 2003 Help file
When searching for HttpS (not HTTP) and SSL
With httpS the S being incredibly significant.
(I missed the S on a previous post)
About security best practices
The following suggestions are designed to help you make educated choices
when working to reduce the security risks associated with running a Web
site.
Best practices for managing files
a.. Install the latest security patches and updates to your Web server.
Notify your site visitors of this practice as well.
b.. When you are configuring your form results to be saved to a file, it
is best to keep the default folder that Microsoft FrontPage sets up for you,
_private. The _private folder cannot be browsed on Web servers running
FrontPage Server Extensions from Microsoft, SharePoint Team Services v1.0
from Microsoft, or Microsoft Windows SharePoint Services.
Note Web servers running other technologies might not recognize this
folder as non-browsable. Use caution when publishing files by using File
Transfer Protocol (FTP) (File Transfer Protocol (FTP): A protocol for
copying files to and from remote computer systems on a network or the
Internet. FTP sites are frequently used on the Internet for making files and
folders publicly available.) or Web-based Distributed Authoring and
Versioning (WebDAV) (WebDAV: An application protocol for publishing and
managing files on the World Wide Web. It provides support for storing
information about a file, so authors can change a file and its properties
without overwriting other changes to that file.), since the _private folder
will not be recognized as non-browsable on the remote server.
c.. When you synchronize files by using Remote Web Site view, files on the
remote Web site will be downloaded to the local site. If malicious files
were placed on the remote Web site, the local Web site may be at risk. Be
sure that only trusted users have access to the remote site before you
attempt to synchronize files.
d.. Security vulnerabilities in external files or controls may extend to
Web pages that use those items. For example, external cascading style sheets
(external cascading style sheet: A cascading style sheet in a file with a
..css file name extension. A .css file is composed solely of style rules in
valid .css syntax, without any surrounding HTML tags.) (files with a .css
extension), script files (files with a .js extension), custom ASP.NET
controls, or other items may pose a security risk. Be sure your style
sheets, add-ins (add-in: A supplemental program that adds custom commands or
custom features to Microsoft Office.), themes (theme: A set of unified
design elements that provides a look for your document by using color,
fonts, and graphics.), executable files (.exe file: A file that contains an
executable program that runs on a computer when the file name is
double-clicked.), scripts, controls, and other files come from trusted
sources.
e.. Files that pose a threat to your server, or to the computers of Web
site visitors, may be uploaded intentionally (by malicious users) or
unknowingly (by trusted users). Make sure your server is running up-to-date
antivirus software and limit upload capability to trusted users. For more
details, contact your Web server administrator or Web site hosting company.
Best practices for Web server security
a.. Make sure to use a trusted Web site hosting company. To host
e-commerce solutions or SSL connections, a hosting service must possess a
digital certificate, which is issued by a third-party certificate authority.
If you can't verify the integrity of the server owner or hosting service, do
not host your Web site there.
b.. Financial transactions require a reliable e-commerce solution hosted
on a Web server configured with Secure Sockets Layer (SSL) (Secure Sockets
Layer (SSL): A proposed open standard that was developed by Netscape
Communications for establishing a secure communications channel to prevent
the interception of critical information, such as credit card numbers.) tech
nology. If you want to create an e-commerce solution, contact your Web
server administrator or Web site hosting company for more information.
c.. Cross-site scripting is a security vulnerability that could affect
many Web sites and Web users. The vulnerability is the result of coding
mistakes in Web applications. For more information, visit the Microsoft
Developer Network (MSDN) Web site.
d.. Identify the potential for SQL injection attacks when you process user
input that forms part of a SQL command. SQL injection is the act of passing
additional (malicious) SQL code into an application which is typically
appended to the legitimate SQL code contained within the application. If
your authentication scheme is based on validating users against a SQL
database, for example, if you're using Forms authentication against
Microsoft SQL Server, you must guard against SQL injection attacks. For more
information, visit the Microsoft Developer Network (MSDN) Web site.
e.. Be sure to use proper security settings on your Web site and to grant
access only to trusted users.
f.. Be sure that your password is not readable by others. For example, do
not store it where it is readable as plain text, such as in a macro or the
HTML or other code of a page or file in the site. Do not send a password on
the Internet unless you use the SSL protocol, which encrypts data. You can
tell when a Web address uses SSL because the address starts with "https"
instead of "http."
g.. A Web site certificate is a verification, issued by an independent
certification authority, that confirms the identity of a Web site. By using
a Web site certificate in your site, you can help prevent unauthorized
people from seeing the information that is sent to or from your site.
Best practices for passwords
a.. Avoid using hard-coded passwords for pages in your site. If you must
hard-code a password, store it in a folder that is not browsable by site
visitors, such as _private.
b.. When you need to create passwords, use strong passwords. Strong
passwords combine uppercase and lowercase letters, numbers, and symbols, and
should not contain patterns, themes, or words found in a dictionary.
c.. Change your password frequently; for example, every one to three
months. Notify your site visitors of this practice as well.
d.. When you connect to a data source, be sure that your password is not
readable by others. For example, do not store it where it is readable as
plain text, such as in a macro or the HTML or other code of a page or file
in the site. Do not send a password on the Internet unless you use the
Secure Sockets Layer (SSL) (Secure Sockets Layer (SSL): A proposed open
standard that was developed by Netscape Communications for establishing a
secure communications channel to prevent the interception of critical
information, such as credit card numbers.) protocol, which encrypts data.
You can tell when a Web address uses SSL because the address starts with
"https" instead of "http."
Best practices for using Web packages
If your Web site is located on a server running FrontPage Server Extensions
from Microsoft, SharePoint Team Services v1.0 from Microsoft, or Microsoft
Windows SharePoint Services, take the following precautions:
a.. Avoid adding Universal Data Connection (UDC) files to a Web package. A
UDC file is an XML file, stored in the _fpdatasources folder, that contains
configuration information for a data source. UDC files can contain passwords
in plain text.
b.. Avoid packaging SharePoint document or picture libraries that contain
files. When other users import the Web package, those files will be added to
their Web site.
Best practices for using cookies
a.. Use HTTP-only cookies. To mitigate the risk of a third party accessing
the data stored in cookies on your site visitors' computers, the HTTP-only
attribute specifies that a cookie is not accessible through script. By using
HTTP-only cookies in your site, you can help reduce the possibility that
sensitive information contained in the cookie can be sent to a hacker's
computer or Web site with script.
Note Microsoft Internet Explorer 6 Service Pack 1 (SP1) supports the
HTTP-only attribute.
b.. By posting links for your site visitors to download critical updates
and patches as well as the latest versions of the Web browsers that they
use, you can help ensure that your site visitors are using a more secure
version of the Web browser of their choice.
