Law #4: If you allow a bad guy to run active content on your website or online application, it's not your website any more
In Law #1, a bad guy tricks you into downloading a harmful program and running it, giving him control over your computer and its data – at least as much control as you had. But what about the reverse: if he can upload active content – programs, scripts, or even documents and pictures designed to crash peoples’ computers in specific ways – and have them served from your website or online application? Your site becomes his platform for reaching out to capture data from site visitors or harm their computers, or reaching inward towards other systems that support your site.
If you run a website or hosted applications, you need to limit what visitors can do. Some sites provide an open forum for people to upload and distribute software, code or configurations – and that’s fine as long as visitors understand Law #1 and the risks that come along with their downloads. But if the bad guy’s uploaded programs actually run on your server or in the browser of visitors, he effectively own your site and can impersonate you. Worse, the bad guy could gain your rights to the underlying systems, and might find a way to extend his control to the servers, data storage or network itself. If your site is on shared infrastructure or a cloud-based service, this can put other sites and data at risk, and potentially create interesting liabilities for yourself and other people.
A properly administered site host or cloud service will have taken many of these risks into account and will disallow scripts or programs uploaded to the service from affecting other accounts that happen to share the same resources. Just the same, you should only allow a program to run on your site or as part of your application if you wrote it yourself or if you trust the developer who wrote it, and make sure your operations and maintenance processes don’t run afoul of the host administrator’s security policies.
If you need help with your network's security, please contact DNS today. (http://dynamicsupport.com/)
Source: http://technet.microsoft.com/
No comments:
Post a Comment