Refresh | Register | Logon
Welcome:  Guest
 Posted by: admin  Messages 
Observed some RC sites and noted that many of them are not as secured as they need to be. Here are some tips to make your site more secure.

1. Look at you installation and make sure you deleted all pages those names begin with [!] pages:

!setup.asp
!access_setup.asp
!mssql_setup.asp
!mysql_setup.asp

(In v2.1-2.2 it's cl_setup.asp)

It's very dangerous to leave those pages at your site. Anyone can run !setup.asp, reset your admin password, logon to your board and gain a full control to RC "Control Panel".
No need to tell what can be done to your site with full control.


2. Those who are running MS Access Database. Make sure your database cannot be downloaded! If for instance your database is located in:

http: //www.yourdoamin.com/RC/db/cldb.mdb

then anyone can enter this in their browser and download your database. There are few ways to prevent this.

a. Rename your "db" folder and reflect the changes in "config/config.asp" configuration page.
b. Ask you host to set permissions the way that nothing can downloaded/viewed from this folder. If your have "permissions" option within your site control panel, then remove "web" permission from this folder.
c. Place this folder beneath the root of your site (may not be available on some hosts). If the location of your site root is for instance:

D:\sites\yourdomain.com\httpdocs\

then place your "db" folder in:

D:\sites\yourdomain.com\

Some hosts create this folder for you by default. For instance:

D:\sites\yourdomain.com\access_db

In such a case place content of RC “db” folder into this folder and configure the database location in "config/config.asp" as:

dbFolder = "../access_db/"

Or place the RC "db" folder itself into "access_db". The dbFolder reference in such a case would be:

dbFolder = "../access_db/db/"

NOTE: the "../" means the folder is located one level bellow the root of your site and commonly referred as a "back-path".
Some hosts however may disable the "back-path" reference on the server. In such a case you cannot place "db" folder beneath the root.
Use "a" and "b" solutions in such cases.


3. Always remove "Admin" link from the menu after you setup your board. (in v3.1 see config.asp)

4. To further secure admin logon page in v3.1 do the following:

- Create a bookmark to admin_logon.asp page
- Come up with argument to your page. For instance: ?OpenSesame=WorldWonders
(restrict to alpha/numeric characters).

Modify your bookmark so that it looks like: http: //domain.com/admin_logon.asp?OpenSesame=WorldWonders

-Open admin_logon.asp page
-After the line: Sub Logon(flag, message, color), enter: If not Request("OpenSesame ") = "WorldWonders" then Response.Redirect "default.asp"
-Modify a logon form: <form method="post" action="admin_logon.asp" name="admin">
So that it looks like:
<form method="post" action="admin_logon.asp?<%= Request.Querystring %>" name="admin">

Now this page can only be accessed for logon if proper arguments are supplies.

NOTE: after you logged on as admin there is no need to supply arguments to access this page anymore.
 Posted On: 4/30/2005 5:24:08 PM   Direct Link   
 Thread: Posted by: Posted On:
  Security Tips
admin 4/30/2005 5:24:08 PM
Vikas 7/12/2005 12:47:34 AM
admin 7/12/2005 1:52:40 AM
pete 2/8/2006 2:57:56 PM
admin 2/8/2006 5:40:19 PM
pete 2/9/2006 2:57:43 AM
admin 2/9/2006 7:05:58 AM