Posted 5.12.10
by wpadmin
Blog

How To Securing Your Website from Unwanted Access with Apache or IIS

The internet can be teeming with many threats to the security and integrity of your web server. It is essential that you protect your vital data and web pages from malicious hackers bent on using your page to fish for customer information as well as send out countless spam email.

There are multiple methods of securing your web page against unwanted intrusions such as creating a login page in PHP that queries a SQL database to check for a login or you can enable the feature available in most web servers called basic authentication.

Basic authentication is a feature available in the widely used web server software such as IIS 7 and Apache. This method of authentication is an excellent choice to use for protecting content since all major browsers support it and it works across firewalls. However there is one drawback of this type of security and that is the login credentials are sent to the server unencrypted. This means that you should only use this type of authentication when you know that the connection is secured which can be easily remedied with the installation of an SSL certificate.

In IIS 7 it is fairly simple to enable basic authentication and this can be accomplished by opening the IIS 7 management window and finding the Authentication option under the Features View window.  You will then need to click Enable to implement Basic authentication using the default settings. In Apache it is a little more complicated to enable this same type of authentication and take a cursory knowledge of apache.

In order to implement basic authentication on a web page you need to use an htaccess and htpasswd file. These will be placed in the root directory of your website and you will need to add a directive in your apache configuration file so that the server knows to look for the htaccess file first before serving the directory. The apache configuration should look something like this

<Directory /var/www/mydomain.com>

AllowOverride All

</Directory>

The htaccess file will contain a pointer to the file in which the server will check the provided credentials against as well as other authentication configuration options. If configured correctly when any page is viewed you will get a prompt asking you for your credentials. Using these methods it is quite simple to protect the vulnerable content that you only want authorized individuals to access.

For more information please visit the following sites:

Basic Authentication for IIS 7: http://technet.microsoft.com/en-us/library/cc772009(WS.10).aspx

Basic Authentication for Apache: http://httpd.apache.org/docs/1.3/howto/htaccess.html

  • This field is for validation purposes and should be left unchanged.