Five tips for safety and usability issues for Web sites

Source: Internet
Author: User

Intermediary transaction SEO diagnosis Taobao guest Cloud host technology Hall

Today's web site such as Ox a grab a lot of natural security also like E-commerce with the wave more and more important, network, web site has always been villains, outsmart, there is no absolute security of the computer and network, website. Even if installed a firewall, anti-virus software, regular security experts do security testing, evaluation and repair can not be said to be safe, a website, security issues from many aspects. It is impossible to guarantee absolute security on any one hand. A secure Web site must be coordinated to create it. First of all, where the computer should be followed by a certain internal computer-related rules of use, relatively can do the following five aspects to ensure its security:

1, Domain name Management Authority:

The most important, so far China has a number of large network companies because of the early start of the domain name registration information These do not pay attention to, the results of the stall bigger after the conflict. The owner of the domain name will have all the right of speech. Domain name resolution is generally: oneself to determine the need to promote the domain name binding server IP address, publicity; all the domain names are resolved to their own need to publicize the domain name up, must be the top level with the WWW two-class domain name bundle operation, because in the mainland of China ordinary Internet users of the site/domain name is not in place More unified think www.jiasijun.com so called domain name, Web site, in fact, technical staff or school books from the students and non-mainland people are identified xxx.com is the top-level domain.

2, the website data backup:

The amount of data on the Web site is the best one to back up every day, and no one can guarantee what happens next second. And preferably there are several backup storage, network data security issues like the Wenchuan earthquake, there is no warning, including technical, man-made, war and other non-resistant disasters caused by, and so on.

3, Server Management rights:

The first is the security of the server, the server itself if the intruder, the Web site system security, which also has no effect. This focus is on technical negotiations with the server hosting provider;

The second is the FTP or Remote Desktop management, Web site system top-level management, such as account security, if someone else cracked your FTP or remote management authority, it is equal to open the window to people crawling, the family things are casually taken.

Again mainly the server administrator needs to operate a lot of technical work, the Internet has related articles, their own Management Server webmaster, you can read more about NTFS rights management, IIS rights Management information. Can let the technology solely responsible for the script program, server security maintenance, to the greatest extent possible to ensure that the data 365*24 complete on-line service, the page launched smoothly, the server is not down. In case of any problems, ensure that the first time you can contact the technology and the first time to find the problem and maintain good, now generally occurs most likely is the flood attack, the related information may the Baidu Inquiry understanding, this question no one can solve from the technology, what firewall all does not have the substantive meaning, at most disperses the partial attack flow, The only effective solution is to contact the server custodian to replace the server IP address and query the source of the attack to give a warning, a serious report. But network forensics is also a difficult point, so a problem should first save a good interface;

Finally, the server settings should generally set 404 error point, that is, open a Web site, the previous content page, now open that address there is nothing. It doesn't exist. This time 404 error on the role can be set to actively jump to a set of their own 404 point to the page, such as jumping to the homepage and so on. The script code that runs on the end of the device, such as the dynamic system, the dynamic Network forum is this kind. The most important and focused problem with scripting code security is two aspects: SQL injection and FSO permissions. Interactive site Most of the database, the code through the SQL statements to the database management, and some variables in the SQL statements are submitted by the user to obtain the form, if the form submitted data is not well filtered, the attacker can construct a number of special URLs submitted to your system, or submit a specially constructed string in a form, cause the SQL statement does not execute as intended, so developers should end up checking and filtering out the form data, preferably with all the data submitted by the form, in characters and numbers, with a specific function. Of course, we should consider the process of teaching good fault-tolerant, of course, if you need to provide downloads, etc. can be considered encapsulated in the DLL component. The second is to upload a vulnerability, once uploaded a vulnerability, the attacker will gain the authority of the webmaster, or even exceed the authority of the webmaster (the entire server poses a security threat). Over the past few years, many Web site systems, have been the issue of uploading vulnerabilities (especially in the 06 Upload.inc upload. CER and other types of files vulnerability). But why is it that only a portion of the site is hacked every time a large loophole is discovered? It is certainly not the attacker's mercy or conscience to discover, but some Web sites through the server settings to prevent these vulnerabilities caused by the loss.

4. Scripting Security: Scripts refer to services such as asp,aspx,jsp,php,cgi on your site

Server to the various unnecessary directories, remove the "execute" permission, changed to "None", that is, the directory of files, can only read, can not run. For example, a forum in addition to the root directory, all other directories are read-only, turn off execution permissions; Dynamic system to the easy root directory, the root directory of each channel and user, Reg these contain ASP Web pages and ASP to access from the browser directory to execute permissions, and other can be set to none. In particular, upload directories, such as Uploadfiles directory, as well as the picture directory, must be set to read-only. After this setting, even if the attacker found the upload loophole, the ASP wood immediately to your uploadfiles directory, he can not use that Trojan to do anything.

If your server is using the NTFS file system, then it is important to set permissions on the directory where the site files are located, as long as you give IUSR_ your machine name, the user is open to read and write permission to run normally. Do not give users such as Everyone\guest full permissions, non-web directories, you should prohibit the IUSR_ machine name such users to give permissions, so that the upload of the script Trojan to the server caused serious security problems.

In addition, in the application of IIS configuration, delete unwanted program mapping, but also to avoid because the filter is not enough to upload some special types of Trojan attack.

First of all, we should do our best to ensure the integrity of the program, easy to operate; In principle, should be as little as possible to open the attachment upload function permissions, but our company two of the nature of the site decided to have to open this, convenient upload pictures and so on. Second, the program can be static processing one can facilitate search engine capture, the world rankings; two can solve the security problem, that is to say, generally with HTM, html or shtml for the URL suffix name. Such a Web page general "hacker" such a website, they start from the program technology generally is no way.

5, the less service security the better. This is a network, web site, an absolute experience, of course, good or bad and use of the degree of discretion need to consider, so the general see really do program technology people's Web site permissions are relatively few, basically do not give themselves outside the message of any operational rights, the interface is quite concise.

Note: This article for the author according to the recent work needs for the enterprise management of a number of security, ease of use, and recently I have 03-05 years of base "Red guest China" http://www.honkercn.net/several old friends and some online friends in the inquiry that the young head green " Cnsir "is not I, hence the contribution of this article to everyone for reference, of course, due to the current working hours, confidential work and other relations this article omits, changes several fields; This article to IIS, ASP, Web site as the foundation platform analysis, if there is not the right place and good advice and suggestions hope everyone.

Jiasile Military Network Marketing consultant http://www.jiasijun.com

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.