I want to build my first web service and I need to know more about security. (I already posted to microsoft.public.dotnet.framework.aspnet.security with no response).
Specifically, I want to make it completely impossible for any outside user to have any access to any of the files stored on the web server. This is to include any data files, and the web service code. How do I do this?
> Specifically, I want to make it completely impossible for any outside user > to have any access to any of the files stored on the web server. This is > to include any data files, and the web service code. How do I do this?
The only way to make files *COMPLETELY* inaccessible is not to host them on a public website in the first place.
There are lots of things you can do to increase the level of difficulty in accessing certain files, but you simply cannot 100% guarantee complete inaccessibility.
E.g. you can use any sort of password protection. But what if by some billion-to-one chance somebody guesses your password...?
>I want to build my first web service and I need to know more about >security. > (I already posted to microsoft.public.dotnet.framework.aspnet.security > with no response).
> Specifically, I want to make it completely impossible for any outside user > to have any access to any of the files stored on the web server. This is > to include any data files, and the web service code. How do I do this?
Every public web server strives to be secure, but that doesn't mean there is any foolproof way to keep a hacker out. The best you can do is do the best you can do.
If you were going to host a web service on a Windows web server, you'd most likely be serving it via IIS. Data files in ASP .NET are typically best placed in the App_Data folder, which is a folder that IIS knows not to grant outside access to. Your web.config file (or any file with a .config extension) is also not served by IIS, and in a production environment, you wouldn't have your source code (your .vb or .cs files) up on the server anyway, you'd just have your compiled assembly (.dll), which is also kept in a protected directory.
So, you really don't have to worry about the sensitive folders and files of your web service being accessible to the outside world any more than you'd worry about your entire server being hacked, which is not a .NET issue, but a server security issue.
>> Specifically, I want to make it completely impossible for >> any outside user to have any access to any of the files >> stored on the web server. This is to include any data >> files, and the web service code. How do I do this?
> The only way to make files *COMPLETELY* inaccessible is > not to host them on a public website in the first place.
> There are lots of things you can do to increase the level > of difficulty in accessing certain files, but you simply > cannot 100% guarantee complete inaccessibility.
> E.g. you can use any sort of password protection. But what > if by some billion-to-one chance somebody guesses your > password...?
With a 14 character password of random characters it would be 1 chance in 4,205,231,901,698,742,834,534,301,696.
> "Peter Olcott" <NoS...@SeeScreen.com> wrote in message > news:efOdnTK_QM2nM2nXnZ2dnUVZ_tOdnZ2d@giganews.com... >>I want to build my first web service and I need to know >>more about security. >> (I already posted to >> microsoft.public.dotnet.framework.aspnet.security with no >> response).
>> Specifically, I want to make it completely impossible for >> any outside user to have any access to any of the files >> stored on the web server. This is to include any data >> files, and the web service code. How do I do this?
> Every public web server strives to be secure, but that > doesn't mean there is any foolproof way to keep a hacker > out. The best you can do is do the best you can do.
> If you were going to host a web service on a Windows web > server, you'd most likely be serving it via IIS. Data > files in ASP .NET are typically best placed in the > App_Data folder, which is a folder that IIS knows not to > grant outside access to. Your web.config file (or any > file with a .config extension) is also not served by IIS, > and in a production environment, you wouldn't have your > source code (your .vb or .cs files) up on the server > anyway, you'd just have your compiled assembly (.dll), > which is also kept in a protected directory.
> So, you really don't have to worry about the sensitive > folders and files of your web service being accessible to > the outside world any more than you'd worry about your > entire server being hacked, which is not a .NET issue, but > a server security issue.
> -Scott
Great how do I make files and folders inaccessible?
>> "Peter Olcott" <NoS...@SeeScreen.com> wrote in message >> news:efOdnTK_QM2nM2nXnZ2dnUVZ_tOdnZ2d@giganews.com... >>>I want to build my first web service and I need to know more about >>>security. >>> (I already posted to microsoft.public.dotnet.framework.aspnet.security >>> with no response).
>>> Specifically, I want to make it completely impossible for any outside >>> user to have any access to any of the files stored on the web server. >>> This is to include any data files, and the web service code. How do I do >>> this?
>> Every public web server strives to be secure, but that doesn't mean there >> is any foolproof way to keep a hacker out. The best you can do is do >> the best you can do.
>> If you were going to host a web service on a Windows web server, you'd >> most likely be serving it via IIS. Data files in ASP .NET are typically >> best placed in the App_Data folder, which is a folder that IIS knows not >> to grant outside access to. Your web.config file (or any file with a >> .config extension) is also not served by IIS, and in a production >> environment, you wouldn't have your source code (your .vb or .cs files) >> up on the server anyway, you'd just have your compiled assembly (.dll), >> which is also kept in a protected directory.
>> So, you really don't have to worry about the sensitive folders and files >> of your web service being accessible to the outside world any more than >> you'd worry about your entire server being hacked, which is not a .NET >> issue, but a server security issue.
>> -Scott
> Great how do I make files and folders inaccessible?
Did you not read my message? Your App_Data folder, .dll and .config files are already protected by IIS. And, you would't publish your source code files to the production server anyway. There's nothing you need to do to make this stuff private.
Aside from this, you want to keep the server password private and emply a strong hardware and software firewall scenario as you would on any production public server.
|
