[ Go to August 1996 Table of Contents ]|
-- By David W. Methvin, Senior Technical Editor
As long as we're naming insecure Web sites, let's not forget this one: WINDOWS Magazine.
In running the security check on our own site, we discovered several of the Web server security holes discussed in this article. We did a mediocre job on the security checklist, too. Because we left the vendor's sample files in place, it was especially easy to exploit one of the security holes.
We were bitten by these bugs for the same reasons many other sites are stricken. When we launched our Web server, we left all the files from the original installation in place, since we weren't sure which files were samples and which were really necessary for operation. We didn't keep up with security alerts, and we didn't check for vendor updates. In addition, while testing the CGI scripting, someone left a sensitive program file in the CGI directory. Finally, three different people were responsible for different aspects of server operation. When files were changed or created, it was easy to assume that it was someone else's work.
We've now cleaned up those sample files and updated to the latest
Web server software version, which closed those particular security
holes for good. We've also mapped out responsibilities, so it's
clear who needs to take care of what. We check regularly for unusual
occurrences in the server logs now ... and we're a lot more paranoid.
[ Go to August 1996 Table of Contents]
[ Return to Interactive Buyers' Guide ]