DNN Security tips September 20, 2007Posted by fofo in DNN Security.
Tags: DNN, DOTNETNUKE, security
add a comment
Many people who build their portals using a version of the Dotnetnuke, need to find ways to protect their portals from hackers and malicious users
secure data from unauthorised users
This can be achieved by setting the appropriate permissions to every user. we can choose the pages that we want certain people to see. only those that have registered can look at the “forthcoming events”,for example.
2. Prevent Hacking
- Social hacking
Kevin Mitnick used to call a company,pretending that he was a former employee, and asked for some information.
Many times he managed to get people to give him usernames and passwords.
DNN cannot do anything about other administrators of the portal or registered users of the portal that give out their sensitive data. you can only alert them to the dangers of social hacking.
Brute Force Hacking
this is also called dictionary hacking.what happens is that a hacker uses a program that tries to get into a site using a known username.The password he tries comes from a dictionary of passwords. The best way to protect yourself is to have a policy in place that enforces a complicated password. also always remember to change the host and admin usernames and their respective passwords. the way to change the admin user is this.
- log in as host
- add a new user who has an administrator role
- log in with the new admin info
- delete the original admin user
That means that certain people can navigate to your site or portal and straight away realise they are browing a dnn site.
then they can do certain things. they can guess that you were propably too lazy to change the admin username and propably the admin password is dnnadmin. there are some ways to hide the obvious signs that your site is build on the DNN platform.
- Change the title bar
- Eliminate the source code comments
- Turn off the copyright message in the footer of the page
In a portal that SQL queries are used, a hacker can insert or alter an existing database query.This is done by using quotes to break out of a SELECT statement.
an example is when someone logs in the query is executed ”Select * from logintable WHERE username=’admin’ and password=’password’ ”
A hacker can inject a quote and comment characters to create a new SQL statement.
DNN uses stored procedures for all database access.This greatly reduces the possibility of hacking using SQL injection techniques.