Windows Shared Hosting Security

May 10, 2008

I've been reading these forums for a while now... a lot of very interesting and useful stuff. However, I've always been happy with the hosting of my site until recently, and have never had a pressing reason for wanting to change.

However, I recently had a four day outage to my site. The hosting company (which shall remain nameless, for now) put this down to a security problem which meant they had to take down the shared Windows server and go through all the sites on the server looking for the site that had bad code which caused the security outage. I also has problems with malicious javascript being injected into my pages prior to this.

I quote from the hosting company "Unfortunately this is a shared hosting solution and by its very nature, it means that poor code affects all sites on that web server. .... The vulnerabilities of ASP, MS-SQL and .Net are well documented." They then proceeded to try to sell me a dedicated server (which I believe will likely be too expensive for my needs).

I'm no expert on hosting, but this doesn't sound right to me. Is all Windows shared hosting afflicted with these kinds of security problems? or only when it's not set up right? I need reliability, but not absolute 100% bulletproof uptime if it comes with a dedicated server pricetag. I do need to avoid outages of a number of hours/days (!!) however

Hopefully one of the experts here can put me right I can't believe that Windows hosting security is that bad that no company can have a shared hosting product that avoids the aforementioned problems. What do you think?

View 12 Replies


ADVERTISEMENT

Shared Hosting Security

Nov 18, 2008

I'm a web designer trying to find a web host for a client. I've set up several clients, including the one in question, at IX and haven't had a problem until the other day, when my client's site was hacked. A redirect code was inserted, taking the user to a false site that installed a virus. The offending code was removed by IX but the client's experience with their tech support was less than satisfactory. I've seen similar stories on this forum and others.

I'm looking to find another host and have some questions about security on shared hosting plans. I understand that they're not completely secure but I'm wondering if certain hosts or certain servers are more susceptible to hacks than others? I see very little, if any, mention of security on sites of hosts offering low-cost, shared hosting plans.

Fewer low-cost hosts seem to be offering dedicated IP addresses. Is a shared IP address going to be less secure than a dedicated one?

My client's site is info only -- no ecommerce or user login -- so it doesn't have to be Fort Knox, but they shouldn't have to worry about it being hijacked either.

Lots of questions, I know. It's my first time posting on this forum, so be gentle.

View 9 Replies View Related

Security In Shared Hosting Environment

May 26, 2009

I am in a shared hosting environment. Their php's setting does not have open_basedir set and safe_mode is off.

I was poking around their server and noticed that using some simple system() calls within a php script, I was able to access /etc/passwd and therefore access all their client's public_html.

I am currently calling them to let them know of the vulnerability. But out of curiosity, is it normal that I can read all the other site hosted? They do have config files with mysql pasword in it.

View 3 Replies View Related

MySQL 5 & Shared Hosting Security

Sep 10, 2007

MySQL 5.0 supports stored procedures -- but is it safe to allow shared hosting customers to have privileges to create them? If the procedures are global, does that mean that:

a) one customer could write a procedure which accessed another customer's data?

b) any customer could call a procedure created by a different customer?

c) any customer could override an existing mysql function in a way that would affect other customers?

d) any customer could write a function that bound to a system library and crash the entire server instance?

View 8 Replies View Related

Windows + Linux Shared Hosting

Aug 7, 2008

This one may be a bit of a stretch, but does anyone know of a shared host who gives you both Windows and Linux hosting with one account? It is possible, as the company myhosting.com seems to offer it, and I think (mt) MediaTemple has some betas with it.

Update: Apparently MyHosting.com does it by giving you a primarily windows account with a linux sub-domain. That would work for me, but I'd rather a more known provider.

View 8 Replies View Related

Reliable Shared Windows Hosting

Jul 10, 2007

Long story short, my client has had issues with the last couple of hosts. We now need a new reliable yet affordable windows host urgently.

He has an ecommerce shop running on a shopping cart called Product Cart.
earlyimpact.com/productcart/system_req.asp

Basically need the following:

Budget: No more than $20 a month

At least 500mb of web space
MS SQL DB 50MB minimum
ASPJPEG and ASPUpload
Ability to use third party private SSL certificate
Supports Linkpoint Connect payment gateway.

The recommended server configuration runs Windows 2000 or 2003 Server,

We've already tried CrystalTech but they don't include ASPupload.
We were ready to sign up for DiscountASP but it turns out to be $30 a month if we use a private SSL certificate and SQL DB.

View 3 Replies View Related

GoDaddy Windows Shared Hosting, An Honest Review

Jun 12, 2008

After trying out GoDaddy shared web hosting for 2 months now, I am confident to give you a good review.

Purpose
I got Web Hosting from GoDaddy in order to get ASP.NET. I looked at other hosts but they are just more expensive. So I decided to go with GoDaddy since they provide quite a lot of storage space, bandwidth and of course ASP, ASP.NET 1, and 2, IIS 7 and quite cheap as well. Since HostGator didn't have that option, I didn't have any other choice.

Server Speed & Uptime
I monitor my website using SiteUptime, and there have been 0 downtimes in two months. Not sure how closely SiteUptime monitors a website, but that's what the stats read.

Server speed is very good. For example file upload/download speed is good and doesn't lag.

Scripting Support
Since I chose Windows Hosting, it comes with ASP.NET support, and the ability to create Virtual Directories via the mini web based IIS Manager.

I was actually surprised to see this but they also have PHP 5 . On their windows web hosting package they don't advertise PHP, but after testing a simple file I was just surprised and happy .

Data Base
They give you MS SQL Databases, Access and MySQL. What I really like in their database management area is, it gives you examples of different connectionstrings for your database.

Support
It usually takes 2-3 hours to process each ticket. The support representatives are kind and really helpful.

In a nutshell, GoDaddy really surprised me with their web hosting features, support and just wow .

View 8 Replies View Related

Do Shared Windows Hosters Actually Like Windows Technology

Dec 10, 2008

There seem to be strong forum rules in place about the kinds of posts that hosters can make.

But from my perspective it is somehow leaving a large gap in useful information I would like to know that I can't quite put my finger on right now.

So I would like to get responses from Windows hosters in this thread without violating any forum spam guidelines and I sure hope I'm not wasting my time here with this concept but here goes...

So, the topic:

Ultimately, the thing Windows Web Hosters are providing is the delivery of information that has been constructed by developers using program code they have assembled using a large array of mostly .NET technology.

The reason the Hoster is providing Windows hosting is that a sufficiently large enough population of Web Developers have been attracted to some aspect of the Windows technology stack.

And there is certainly lots of innovative and interesting technology that attracts developers to focus on .NET in just the same way that there is also interesting technology in the Linux world.

So here's the problem. It appears as if the Windows hosting companies with the odd exception have almost no interest in Windows and .NET technology.

But if they actually did have such an interest, it is not clear how they would communicate it for discussion here at WHT because of the spam rules and of course trying to communicate anything at all about hosting on the general internet is just swamped by spam. The noise level is just insane!

So I am hoping that such a discussion can take place in this thread by asking some very specific questions:

1. What interesting Microsoft technology have you researched, tested or played with lately?

2. What programs or scripts have you personally developed lately to investigate .NET 3.5 features?

3. What do you think of XBAP delivery from the net and why do you think it hasn't caught on in a larger way since it sure delivers a richer client experience than Flash or even Silverlight.

4. What do you think of Azure and will Microsoft let hosters be part of the cloud anytime soon? Can you think of useful or interesting Azure mashups from a hosting perspective?

5. Have you tried any totally silly and insane things with the .NET runtime inside of SQL Server 2005/2008 that would give your DB guys a heart attack?

6. Have you tried out the Google systems where you give your employees 20% of company time to play around with personal projects like this?

View 7 Replies View Related

Windows Security With IIS

Mar 2, 2007

I'm not a windows security expert, so I'm hoping I can get some help here

I have a test server running windows 2003 server (latest updates), php5 (using isapi) and IIS 6.

I copied over a php cms and ran the install script. It is telling me that all the Directory and File Permissions it checks are writable. The thing is I have not setup the security for these directories yet. I have not added the iis user to any groups or changed anything from the default install of windows 2003. How can these directories be writable?

I went through the install anyways thinking that maybe the install script was reporting it wrong, it wasn't. It was able to create the configration file fine and it had given the iis user full control over the file. I double checked the website directory and it does not have iis listed in the security tab and the iis user does not belong to any groups except guest.

In the advance Section of the security tab for the config file of the cms it said that the iis user inherited it's security from c:. I checked c: and all directories down to configuration.php and the iis user is not listed in the security tab so I am not sure how it is inheriting anything.

View 7 Replies View Related

Concerned About Windows VPS Security

Jul 1, 2008

I was in a shared hosting environment for 2 years. Due to performance problems with website I have moved to a windows VPS with plesk 8 control panel. All of a sudden I am very much worried about my site's security. How vulnarable and volatile is ones security in a windows vps environment. Is there anything I can do from plesk to tighten security of my vps so that my site cannot be hacked or can be safe from any damage.

Is there any guide or tutorial which guide me to do some settings in plesk to make my site secure.

Although i have admin access i rarely do anything but ftp and create or modify or read email and accounts.

View 2 Replies View Related

Concerned About Windows VPS Security

Jul 1, 2008

I was in a shared hosting environment for 2 years. Due to performance problems with website I have moved to a windows VPS with plesk 8 control panel. All of a sudden I am very much worried about my site's security. How vulnarable and volatile is ones security in a windows vps environment. Is there anything I can do from plesk to tighten security of my vps so that my site cannot be hacked or can be safe from any damage.

Is there any guide or tutorial which guide me to do some settings in plesk to make my site secure.

Although i have admin access i rarely do anything but ftp and create or modify or read email and accounts.

View 2 Replies View Related

Windows Security Concerns

Sep 14, 2007

I am concerned about securing a windows server without the use of a hardware firewall.

I have an idea as follows:

1) have a dedicated server running linux

2) run VMware Server edition on this linux box to host the windows 2003 server.

3) use iptables etc to secure the outer linux layer (only allowing required ports through to the windows box etc)

What does everyone think - is this a potential runner? am I overdoing things?

View 2 Replies View Related

Hosting Review Site Or Top 3 Hosting Co. For Shared Hosting

Apr 23, 2009

I'm trying to find at least three web hosting companies to choose from to host a Joomla websites on a shared server. Would consider dedicated if the deal was right. I have a friend of mine who wants to create a church website, and is looking for the best deal. I use Netfirms which I have never had an issue with, but I didn't want to be bias, and would like give him other options to choose from.

Is there a good WebHosting Review site, I could check out, or maybe someone could recommend their top three. I reading threw the forums here and I noticed there are not that many complaints with Hostgator. Again, I just want to see if there was anything out there better.

View 12 Replies View Related

Windows 2008 Server + Plesk: Security

Jun 17, 2009

I would like to setup a new dedicated server with the following:

- Windows Server Standard 2008 64bit Edition

- Plesk control panel

Questions:

Anyone know of a thorough tutorial on securing/optimizing a Windows 2008 server (even with Plesk) for a shared hosting environment?

Other?'s:

Considering Plesk's rip-off pricing, any free and quality alternatives to their products?

- plesk dr.web antivirus

- acronis trueimage backup

- plesk powerpack (I guess $24.99/mo lease isn't too horrible)

I basically want to replicate a Cpanel shared/reseller hosting environment, but with Plesk since Cpanel for Windows is not yet available and been delayed forever.

View 1 Replies View Related

Unlimited Domains With Shared Hosting Vs. Reseller Hosting

Apr 2, 2009

This question gets asked a lot in our Helpdesk and I figured I would post our knowledgebase article here to help anyone else wondering the Pros and Cons of Unlimited Domain Shared Hosting vs. Reseller Hosting. If anyone has anything else to add, I appreciate any feedback on how we can improve our KB article.

----------------------------------------------------------------------
Given the present state of shared hosting, many clients may ask "Why would I need a Reseller account if I can host unlimited Addon and Parked domains within a single shared hosting account?". There is certainly enough Disk Space and Bandwidth provided in many of today's hosting packages, so why bother to purchase a Reseller account?

Many don't realize the drawbacks of hosting large numbers of domains within a single hosting account until they've already packed tens of them onto a single package.

So how do you know whether a Reseller account or Shared Hosting account is right for you? The answer is in how you plan to provide access to others and how "mission-critical" the sites are. You should consider the following factors when deciding on hosting a large number of domains:

1. Who will be managing these sites?

2. How important is site security between sites?

3. Will these domains need dedicated SSLs?

4. How resource intensive will these sites be (RAM, CPU, MySQL)?

In a nutshell, Reseller plans are for those who wish to host websites for other sub-clients and a shared hosting package is for a single individual managing multiple personal domains. We'll go over the 4 points above in greater detail.

1. Who will be managing these site?

If you personally own multiple domains and wish to host them within the same hosting space, you can easily do so with an Addon or Parked domain. An addon domain will allow you to host a new domain within a subdirectory of your hosting space. A parked domain will allow you to have multiple domain names point to the same content. Since addon domains reside within the same user space as your main domain, you can manage all of your domains with a single login. You can see the problem if you want to provide another user with access. Since all accounts are managed with a single set of login credentials, if you give another user access to their addon domain you are also giving them access to your main domain. If you have vital information stored on your main domain and you are hosting another domain as an addon domain for someone else, you cannot provide them access to their hosting without compromising the integrity of your main domain.

When hosting sites as a Reseller, your clients in turn will want access to their account and will want exclusive rights to their disk space and server resources. With a Reseller account, each sub-account you create gets its own username, password, and isolated user space on the server. Individual clients of yours have access to their user space and their user space alone. In addition to the isolation with regards to access concerns, each account also gets their own cPanel access. All of the same great features that you use to manage your sites can also be given to your clients. Next time client Y wants to add an email account, you don't have to do it for them for fear of giving them access to your cPanel, you can simply give them their login details and they can manage their own email accounts.

2. How important is site security between sites?

This is along the same lines as point 1. This is not necessarily related to who you are hosting for, but what content you are hosting. Imagine that you are a webmaster and you are hosting your own personal site-in-a-box community forums (such as PHPBB or vBulliten) on your main domain and a company website for a paying client on an addon domain. It is not uncommon for popular scripts to have security flaws in older versions. Script authors will often update security flaws in later versions of their software. For this reason, it is very important to keep scripts up to date on your site. But let's assume you forget to update your scripts for a couple of months and an unscrupulous individual takes advantage of a well known security hole. Using this exploit, they gain access to your forums and any subdirectories. Since you are hosting another domain as an addon, they now have access to this domain's content as well. A site defacement on this company's site may not bode well for you when they are considering you for web master services in the future.

If these two domains had been separate into two individual users (i.e. two subaccounts created through a Reseller), their content would've been inherently isolated server side by Linux's user management. Sure, your forums still would've been affected by the security hole, but the break-in would've been isolated to your site alone.

Going back to our example, let's say that instead of a corporate website as an addon domain you are hosting an image gallery site for all of your cats. In this case, it may not be a big deal if a compromise in your main domain spreads to your addon domain. After all, they are both owned by you and you're only losing some time and effort to restore these sites from your local backups (which I'm sure you've actively maintained ). But then again, you are losing time and time is money. If these sites had been separated into individual users, again, you'd only have to restore one site's content.

The idea here is isolation. Reseller plans provide you with the peace of mind to know that if one of your users doesn't keep up with their site's content as actively as they should, their actions won't negatively impact the content hosted on other domains. If you and those you host in your addons are diligent webmasters, maybe this point won't have much bearing on your decision. Only you can say for sure.

3. Will these domains need SSLs?

As of this writing, SSL certificates must have a dedicated IP address to be installed. If you are hosting multiple domains on the same shared hosting package, you can still install an SSL (or purchase a dedicated IP address and install one) but you are limited to exactly one SSL on your account. If you are hosting multiple domains on the same package (and consequently the same IP), you must choose which domains gets to have the dedicated SSL.

Sub accounts of Resellers can each be placed onto separate IP addresses and, as a result, can each have their own dedicated SSL installed.

Of course, both shared accounts and Resellers' sub accounts can use the server's shared SSL free of charge. However, some clients prefer to see their domain in the URL bar when they visit https.

4. How resource intensive will these sites be (RAM, CPU, MySQL)?

We've already established that disk space and bandwidth will be no problem. But what about CPU, RAM, and MySQL resources?

It's important to be aware of the resource needs of your website. As administrators, we have to make sure all users "play nice" on the server. We can't have user X eating all of the CPU cycles computing pi to the trillionth decimal place while you are trying to serve web pages to your loyal visitors. We have to monitor the actions of all of our users and in the event someone is stepping beyond the bounds of acceptable resource consumption, we have to take action. In most cases, this entails disabling the abusive script, but in extreme cases we have to suspend the abusive user account to prevent other domains from encountering performance degradation on their sites.

If you are hosting 100 domains as addon domains, all serving nothing but static HTML pages, maybe you will stay off the radar.

But considering most sites are more complicated than static HTML, you may want to be aware of how many sites you host as addons and what content they serve. If you're hosting the latest and greatest Joomla modules, with up to date news feeds, integrated forums modules, polls, blog posts, etc your site can certainly require a degree of CPU to serve your pages. Now imagine you have 5 or 10 of these sites all hosted as addon domains. The resources these sites need to generate their content can quickly add up and before you know it you've got a friendly email from Acenet, Inc. in your inbox wondering why your user is consuming 2 of the 8 CPU cores on the server. That may be an exaggeration, but you get the idea. In the event your resource usage becomes so excessive that we have to suspend your user, now all of your sites are down instead of whichever one may be the direct cause of the spike in CPU, RAM, or MySQL consumption.

If each of these had been separate Reseller accounts, the offending account could've been suspended temporarily while we work through the cause, leaving the rest of your domains live and kicking.

The conclusion here is that you need to be aware of the needs of your sites in a general sense. Hosting unlimited domains within a shared hosting space is certainly a nice feature. For those webmasters who have multiple presences on the web, it's very convenient to be able to manage all of their personal domains from a single control panel. For those entrepreneurs who are hosting multiple domains for other individuals, the features and security associated with a Reseller plan and the inherent isolation of Linux users is a must have.
----------------------------------------------------------------------

View 12 Replies View Related

No Resource :: Shared Hosting Apache And Physical Hosting

Jul 31, 2014

I'have a problem with my aps setup on sanbox.When i create on customer ccp when i click finish i have this error. I must only test.

Error: Instance of application with id 124 and version '1-4' can not be provided: There is no resource of class 'Shared hosting Apache' with provisioning attributes 'Web Cluster' in subscription with id 1.:There is no resource of class 'Physical hosting (IIS)' with provisioning attributes 'Web Cluster' in subscription with id 1..If i add the shared hosting apache resourse i get this error : There are no "apache" services that satisfy given attributes: "Web Cluster".

View 3 Replies View Related

Web Hosting Security

Apr 8, 2008

I am conducting some research into potential risks that web hosts have to deal with on a daily basis. What potential security risks are there for web hosts ? And how do they overcome these issues?

View 6 Replies View Related

Hosting Security

Mar 24, 2007

I have hosting - php/apache - with Orchard Hosting, and I've been with them for many years and there's never been a problem.

Then, a couple of days ago I realised from my logs a text file had been put in a directory in my webspace without me knowing anything about it. I emailed my host and they said it could have happened by either:

1. someone using ftp and getting into my account

2. someone injecting PHP through a form on the site.

I've added some code to my validation to look for <? and fwrite keywords but I think it's secure! But in the logs, there's no visits to the pages where the forms are (one of which is AJAX powered) - so I'm not sure it's injection.

Is someone using some kind of anonymous connection to my FTP (which shoudn't work!) the most viable reason why this has happened?

View 3 Replies View Related

Security For Web Hosting

Jun 11, 2007

I have a server is running windows 2003 enterpirse as WEB HOSTING. It don'nt configure to become Domain Controller. Anyone advise me that Should I do if this server will attached by hacker, virus or OS error,damage?

View 4 Replies View Related

Debian Security For Hosting

Apr 26, 2009

From some weeks I try to have a secure install for my Debian. THis server will be a shared hosting host so need special security but I don't know how to do this.

My requirement are :

- Apache

- PHP (mod, not cgi)

Actually, users can navigate into my server by using phpshell script. And someone put lots of file into /tmp directory so I tri to secure all of that but don't find good tuto for that; do you know where can i have some?

And what about php using cron so execute with php-cli how to secure it?

View 3 Replies View Related

Linux Hosting And Security

Jan 20, 2008

About next week, I'll put a Linux box on the web.

Could anyone suggest what kind of security measures I could implement?

Iptables:
- Protect against DDos?
- Protect against certain worms?
- Protect against flooding?

Services:
- Protect against constant dictionary attacks based on ports?

Pretty much any experience you could put down in this thread would be invaluable.

Also mod, if this shouldnt be here. Feel free to move, Im not sure where it should go!

View 9 Replies View Related

Web Hosting Where Security Cannot Be Compromised

Dec 15, 2008

I have read many helpful feedbacks regarding choosing a reliable web host. Most of the concerns are centered around costs. However, I am more particular about the relative security of my website in addition to other perks such as space, speed and bandwidth. I rate my concerns on a 1-10 scale:

Security 9/10
Bandwidth 7.5/10
Disk space 6/10
E-mails, backups, etc: 8/10
Cost: 7/10

View 10 Replies View Related

How To Security For A Hosting Server

Jul 19, 2007

Which methods is need to protect a hosting server?

View 10 Replies View Related

Noob - Shared Hosting VS. Dedicated Hosting

Jul 13, 2005

I am developing a website for a client of mine (the client is a close friend and know's that he is getting a newbie). This site will be larger (project wise) than anything that I have ever done (everything I have done in the past has been FrontPage). We will be using several third party applications that need to run on the server as well as our own custom developed applications. We do not yet know how much access to the server's deeper structures we will need for all of the applications that we want loaded on our server to run. Things we have in mind: oscommerce, mysql, php5, apache, linux, vbulletin, blogger, phpbb, adserver, ect... Would these things run ok on a shared host and would I have full authority to configure them without needing full access to the server? Or will I need access to the entire server (dedicated server) in order to have full customization capabilities? I guess all I am trying to figure out at this point is will shared hosting for a large project limit our abilities to use 3rd party apps, or do most 3rd party application designers build their stuff to work in a shared hosting environment anyway? If we need to get a dedicated server we will, but if we can get away with shared hosting for a while (especially during development when the site will not be generating revenue) it would be nice to avoid the price of a dedicated server. Many thanks for your comments, insight, and expertise! Also, if anyone can sight some common scenarios that may require a dedicated server over a shared hosting plan, that may help me to understand what the limitations of a shared hosting plan vs. a deicated or virtual dedicated server are.

View 2 Replies View Related

Difference Between Using Shared Hosting And Reseller Hosting?

Aug 17, 2008

Here is my dilemma, thanks to a thread in these forums I was directed to a hosting website called pc-core.net and I was interested in using them, because it does not appear that they oversell at all. My question is regarding the fact that they have the shared hosting for $12/month with ~5gb of disk space and 50gb of transfer. I then just looked at reseller hosting for the heck of it, and noticed i could get a reseller hosting account with 45gb storage and 450gb of bandwidth for $10/month. Even though I wont be selling hosting, or anything like that, can I use a reseller hosting account like a normal shared hosting account?...just with more space and bandwidth?

View 3 Replies View Related

Difference Between VPS And Say Shared Hosting Or Dedicated Hosting

Jun 13, 2008

I'm new to the VPS scene, so could someone tell me the difference between VPS and say shared hosting or dedicated hosting? Actually I really like to know what a Virtual Private Server actually is.. I know shared hosting is typically a single account on a server with several hundred other accounts which is used primarily for the sole purpose of hosting websites, and I know that dedicated hosting is functionally the same as colo except that you rent the server, instead of having your own purchased server plugged into some network. So what is VPS?

View 3 Replies View Related

Shared Hosting Vs. Dedicated Server Hosting

May 6, 2008

Do website builders generally go with shared hosting or dedicated server? I mean, if they work on several websites would they get a dedicated server instead of shared? From what I understand through reading shared hosting is basically if you only have one website. So one with multiple websites would go with a dedicated server?

View 12 Replies View Related

Difference In Shared Hosting And Reseller Hosting

Apr 23, 2008

I would like to know the different between the shared hosting and reseller hosting?

View 7 Replies View Related

Windows Server 2008 Logon Process And Some Security Concerns

Jul 29, 2008

Unlike earlier versions of Microsoft Windows Server, the 2008 version gives you a default logon screen that is very similar to Vista. Instead of the the interactive dialog box that prompts you for a username, password, and sometimes domain, users will find a “push button” screen displaying all users with login permissions. To log into an account all the users will now need to know is the password. This makes things much easier for hackers as the only thing they will now need to guess is the password.

There are a couple of ways to resolve this problem. First, the server administrator can set the local security policy to not display the last username and disable fast user switching. Second, in the System Remote Settings dialog, the remote desktop options can be set to allow computers with Remote Desktop that support Network Level Authentication.

Since the first method is covered in a few blogs, I’ll limit myself to discussing the second method. In the latest versions of Remote Desktop Connection client (version 2.0 for Mac and the version shipped with Windows Vista), Network Level Authentication is supported. This means users must send the username and password before Windows 2008 accepts the connection. Earlier versions of RDC (like the one found in many installations of Windows XP) don’t support NLA. So technically, users will only need to supply the IP or domain name of the remote Windows server, leave the username and password blank, and interact with the logon process that is provided at connection time. Windows 2008 servers that do not have the NLA option set for remote desktop connections are vulnerable since the interactive logon screen (post-connection) is displayed to users using earlier versions of RDC.

This last point may be of significance to service providers offering Windows 2008 dedicated servers. If the server is set up with default settings, the NLA option is disabled and new users will by default be made to change passwords on first logon. Users using new versions of RDC will not be able to logon because the initial password change sequence on first logon is not compatible with NLA. The server will return an incorrect password message to the RDC client even though the user has provided the correct username and password. The only way to establish first connection is thus to use a non-NLA supporting version of RDC so that the user can establish connections without supplying credentials and then going through the password change wizard during the initial login. But as mentioned, having NLA disabled on server side is not an ideal practice at this point.

So there are a couple ways to do this. The service provider should disable the “change password on next logon” option during the user creation process and get user to manually change the password after logon. Or alternatively, assist the client/user in changing passwords through the console internally.

View 0 Replies View Related

Plesk 11.x / Windows :: Webadmin Not Working - Security Error Shown

Jan 24, 2014

After click webadmin its shows a security warning conform box as following on Firefox ...

Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.

Are you sure you want to continue sending this information?

And if click " OK" the page display " Server not found " error

[URL] ...

View 1 Replies View Related

How Not To Get Hacked - Checking Out Web Hosting Security

May 8, 2007

I normally hang out in the web design area, so it there is a related thread, please point me there.

I have been hosting a very small site with, what I thought, was a respectable local company. This morning I went to my home page and guess what - my friendly neighbourhood hacker paid me a visit. Gone (commented out) is my home page content, replaced with the following text:

I would like to report that your site is highly compromisable. Please review your hosts security settings. I would recommend changing though, they are a piece of ****.
(I have not deleted anything. the original page is commented out but is still located in this file.)

This security message has been brought to you by Scorpian & AV.

How do I deal with this? If I get no response from my current hosting company on how someone got hold of my ftp password, I want to move my site, but how do I know the next company has better security measures? And what should these security measures include? Any tick lists out there for testing domain host's security?

View 7 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved