; ecommerce
Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

ecommerce

VIEWS: 23 PAGES: 13

  • pg 1
									Marc Liddell - 040001950

AC41006




E-commerce website and server report
Date: 19 December 2008




                         1
Contents
1. Introduction ........................................................................................................................................ 3
2. Setting up the web server ................................................................................................................... 3
3. Setting up SSL ...................................................................................................................................... 4
   3.1 Certificate and binding settings .................................................................................................... 4
   3.2 Adding a SSL directory .................................................................................................................. 4
   3.3 Ensuring appropriate encryption is used ...................................................................................... 4
4. Configuring the Windows firewall ...................................................................................................... 5
5. Closing the net bios ports (135 and 137) ............................................................................................ 6
6. Closing file and printer sharing port (445) .......................................................................................... 6
7. MySQL durability ................................................................................................................................. 6
   7.1 MySQL Security ............................................................................................................................. 6
   7.2 MySQL logging............................................................................................................................... 7
   7.3 MySQL Backups ............................................................................................................................. 7
8 Server durability ................................................................................................................................... 7
   8.1 Server logging................................................................................................................................ 7
   8.2 Server back-up .............................................................................................................................. 8
9 Error Redirection .................................................................................................................................. 9
10 Coding Challenges .............................................................................................................................. 9
   10.1 Cross host compatible................................................................................................................. 9
   10.2 Seamless SSL ............................................................................................................................... 9
   10.3 PayPal ........................................................................................................................................ 10
   10.4 Downloading and uploading ..................................................................................................... 10
   10.5 CSS ............................................................................................................................................. 10
   10.6 MySQL Injection ........................................................................................................................ 10
11 Ecommerce ...................................................................................................................................... 10
   11.1 Privacy policy ............................................................................................................................ 10
   11.2 Ecommerce Element ................................................................................................................. 11
   11.3 Artist accounts .......................................................................................................................... 11
12 Server Details ................................................................................................................................... 11
13 Security Report ................................................................................................................................ 12
   13.1 Nessus scan ............................................................................................................................... 12
   13.2 Ports .......................................................................................................................................... 12
   13.3 General vulnerabilities & website ............................................................................................. 13


                                                                            2
  13.4 Security conclusion ................................................................................................................... 13




1. Introduction
In this project I have been asked to set up a secure web server, host a website which can be used to
pay for, upload and download music tracks, and investigate the security of a fellow student’s server.




2. Setting up the web server

The following steps should be followed to initially set up the web server.

    1. I have used a PC running on Windows Vista, with SP1 installed.
    2. Install IIS from the control panel:
           a. Control Panel
           b. Programs and Features
           c. Turn Windows features on or off
           d. Internet Information Services
           e. Tick all boxes in all sub folders of this
    3. Install MySQL server on the machine, the exe can be downloaded from:
       http://dev.mysql.com/downloads/mysql/5.1.html
           a. When doing this, the md5 hash given on the website should be compared to the
                 md5 of the file downloaded, md5 file hashes can be generated using lots of free
                 programs available on the web, or in command prompt.
    4. Install MySQL GUI interface
       http://dev.mysql.com/downloads/gui-tools/5.0.html
           a. This download should again be checked against the md5 hash.
    5. Install the php 5.2.8 binaries from
       http://uk.php.net/get/php-5.2.8-nts-Win32.zip/from/a/mirror
           a. This download should again be checked against the MD5 hash.
           b. These files should be extracted into the directory c:/php
           c. Follow the steps on the following blog to set up php for IIS
                 http://blogs.iis.net/bills/archive/2006/09/19/How-to-install-PHP-on-IIS7-
                 _2800_RC1_2900_.aspx


Now these steps are implemented the following can be implemented in any order, to secure the
server, and its affiliations.




                                                                      3
3. Setting up SSL


3.1 Certificate and binding settings


I found the following web page useful for reference.
http://weblogs.asp.net/scottgu/archive/2007/04/06/tip-trick-enabling-ssl-on-iis7-using-self-signed-
certificates.aspx

If you already have a signed certificate miss out steps 1-3.

    1. From the root computer in connections, open Server Certificates
    2. Depending on preference click “Create Self-Signed Certificate” or “Create Domain Certificate
       (for this project I creates a certificate using filegate.computing.dundee.ac.uk)
    3. Follow the steps accordingly
    4. Using the appropriate website in “Sites”, select “Bindings...” in the right hand panel
    5. Select “Add...”
    6. Type is https, IP address is All Unassigned, port is 443, select certificate as appropriate
    7. Select ok, and close

3.2 Adding a SSL directory


    1. Select an appropriate director in the website, or the whole website if you so wish, in the
       connections panel.
    2. Select “SSL settings”
    3. Tick the appropriate options, for my server I used “Require SSL”, “Require 128-bit SSL” and
       Client certificates: Ignore.

3.3 Ensuring appropriate encryption is used


Many encryption algorithms and ciphers which are still active on Windows Vista are now insecure,
these must be disabled, to ensure encryption security.

    1. Open up the registry (Run-> “regedit”)
    2. Back-up the registry (File-> Export) (this can be used if it is corrupted during this process)
    3. Go to the following location:
       Computer/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SecurityProviders/Sc
       hannel/Protocols
    4. Create a folder named “PCT 1.0”, next create a new key named “Server”, finally in this Key,
       create a DWORD (32-bit) Value, with the name “Enabled” value 00 00 00 00
    5. If SSL 2.0 is already present, go into the server key and change the Enabled DWORD to 00 00
       00 00. If this does not exist create it as above.
    6. Create a key named SSL 3.0, next create another key, named Server, in this key create a
       DWORD (32 bit) Value named “Enable” to the value ff ff ff ff

                                                   4
    7. In the directory
       Computer/HKEY_LOCAL_MACHINE/System/CurrentControlSet/Control/SecurityProviders/Sc
       hannel/Ciphers, create the following Keys, and create a DWORD (32-bit) Value with the
       name Enabled and value 00 00 00 00 in the key;
            a. DES 56/56
            b. NULL
            c. RC2 128/128
            d. RC2 40/128
            e. RC2 56/128
            f. RC2 128/128
            g. RC4 128/128
            h. RC4 40/128
            i. RC4 56/128
            j. RC4 64/128
    8. And finally, in the same directory, create a key named “TripleDES 168/168”, with a
       DWORD(32-bit) value, with the name Enabled and value ff ff ff ff.



    These settings are appropriate for the time of printing, over time encryptions have potential to
    become vulnerable, so these may need to be changed.




4. Configuring the Windows firewall

The windows firewall can be very useful to block ports an programs, it should be used, and
configured as below.

    1. Go to control panel -> Windows Firewall
    2. Ensure the firewall is turned on.
    3. Select “Allow a program through Windows Firewall” on the left hand side
    4. Unselect all tick boxes, which are available to unselect. (Some were unavailable to select on
       my machine due to either access right, or windows vista blocking me.)
    5. Add the following ports by clicking “Add port...”
           a. Name: “http”, port number: “80”, TCP
           b. Name:”https”, port number: “443”, TCP




                                                  5
5. Closing the net bios ports (135 and 137)

These ports have to be closed down in another directory, as they are not in the firewall settings.
These ports are potentially vulnerable to attackers, at minimum they can obtain computer
information from these.

    1.   Go to Control Panel -> Network and security
    2.   On the left panel, go to “Manage network connections”
    3.   Go to properties of the LAN or access point
    4.   For Internet Protocol Version 4 (TCP/IPv4) and IPv6, go to properties, then advanced
    5.   In the WINS tab, select Disable NetBIOS over TCP/IP


6. Closing file and printer sharing port (445)

Closing this port reduces an access point for hackers

    1. Go to Control Panel -> Network and security
    2. On the left panel, go to “Manage network connections”
    3. Go to properties of the LAN or access point
    4. Uncheck the following:
           a. Client for Microsoft Networks
           b. File and Printer Sharing for Microsoft Networks
    5. Click “ok”




7. MySQL durability


7.1 MySQL Security


To make MySQL secure to outside attacks, the remote access must be shut down. This means
closing port 3302. This can be closed on the windows firewall (section 4). Closing this maintains
access for the local host, but removes access from the web.




                                                  6
7.2 MySQL logging


This is necessary for database durability, should it fall over.

    1. Open the MySQL Administrator in MYSQL GUI tools
    2. Create a stored connection with the appropriate log-in information
    3. Go to Start-up Variables -> Log Files and enable the following:
           a. Binary Log file
           b. Query Log file
           c. Error Log file
           d. Update Log file
    4. Name them appropriate names.



7.3 MySQL Backups


Backups are necessary for restoring the data base due to corruption or physical damage. These
should be stored on a separate PC, preferably in a separate, secret location, however for this project
I deemed this unnecessary due to cost and timescale.

    1. Open the MySQL Administrator in MYSQL GUI tools
    2. Go to the back-up tab
    3. Select the appropriate database ( for my project this is marcliddell_website)
    4. Select appropriate backup type. (I chose InnoDB online back-up, so that service was not
       disrupted)
    5. Schedule as required. (For my set up, I backup up every day.)




8 Server durability

This is vital to efficient recovery, and contingency plans. Also logging is good for statistics, which can
be extremely useful.

8.1 Server logging
    1. In IIS, go to the appropriate website in the connections panel/
    2. Go to logging, under IIS
    3. Set as required (for this project I set to daily log files, with no maximum size and using the
       default directory.)




                                                     7
8.2 Server back-up


         Although there are no actual menu settings for this I regularly backed up web files on a pen
drive, which is normally kept offsite. This is essential if another server needs to be set up and the
files be placed on it. Ideally a second server would be set up in parallel, so if the main server fell
over, the secondary server could take its place.




                                                   8
9 Error Redirection

Error pages can expose critical information about a web server to attackers, these should be avoided
as much as possible. One step I took to ensuring this information was not leaked was to implement
a error redirection for errors 401, 403, 404, 405, 406, 412, 500, 501 and 502.

This was implemented by linking the appropriate pages as following:

    1.   Open IIS manager, go to the appropriate website in the connections panel
    2.   Go to Error pages, under IIS
    3.   Select “Edit Feature Settings...” in the right panel
    4.   Select custom error pages, and select “ok”
    5.   Then edit the path of each error page as appropriate. (For this project I simply named the
         pages 401.php, 403.php etc.)




10 Coding Challenges


10.1 Cross host compatible


The nature of web page design, some page directories have to be hard coded. However there are
method around this in php. Using variable such as $_SERVER*‘HTTP_HOST’+, which returns the part
of the URL between http:// and the first / for the directory. So if the web site moved domain names,
the site would still operate fully. Many links are relative though, this is only used in cases where the
file is in the above file directory.



10.2 Seamless SSL


The Majority of my site does not require SSL, however, there are several pages which do,
Registration and login for example, where passwords are travelling on the wire. I achieve this by
placing the form action pages in a secure directory, and referencing them using a full URL, to change
to https. Then once the login is complete, the site reverts back to http. The reason for doing this is
all traffic being encrypted would simply be too much over head, should the site get busy.

        Also at first I believed that the login form had to be in SSL, however after research on the
internet and using Wireshark to test this, I discovered this was not required, and only the action
form had to be in SSL, this allowed my site to have the appearance of the login on the top of every
page.


                                                   9
Before the password is sent over the wire it is also sha1 hashed (then SSL is applied) this helps
ensure no sensitive information can be found on the wire or the database.



10.3 PayPal


To enable payment on my site, I decided to use PayPal. During development stage, and for the
marking stage, I have left this on the PayPal sand box, so no real money is transferred. Using this
gives the confidence to use the site as most users trust PayPal to handle their details securely. The
PayPal script I have used works by posting multiple variables to PayPal, the user pays and once
PayPal has completed, the transaction successfully, the user is returned to the website, along with a
secure hash, which identifies the transaction, this is then used to allow the user access to the music.

10.4 Downloading and uploading


A core functionality to the site is uploading and downloading music. For this I have decided to
restrict this to mp3 format. When uploading, files are stored off the server, so that they are not
accessible to anyone on the web. When a user downloads the file it is moved into a hashed folder,
and will be removed after a set time period so that no other users can access the file by typing in the
URL directly.



10.5 CSS


I have decided to add a high contrast CSS to the web site, as the design I decided on may be too dark
for some users. Also users may prefer the alternate style sheet. These can be altered on the top left
of the website.

         Also as a slight fun part to the project, and due to the festive time of year, I have added a
java script to my website which shows snow falling down on the site.

10.6 MySQL Injection


I have protected my site from MySQL injection by using the php function MySQL_real_escape_string
on every variable going into the MySQL engine. This will prevent attackers corrupting, deleting or
editing the database.


11 Ecommerce

11.1 Privacy policy



                                                   10
I have included a privacy policy on the site, this is to let the users know how my site intends to user
their data. Users Agree to this when registering, so must accept it to join the site.

11.2 Ecommerce Element
My Site demonstrates Ecommerce buy allowing users to upload music tracks, making them available
to sell to other users. Other users will be charged a fee by the music owner. Of this fee, I, MusicLink
will take 10% of the total as commission. This will fund the business, and also encourage users to
use the site as they we take very little commission. The band can see how much money they have
earned in their account page.

11.3 Artist accounts


I have decided to make every account have the potential to become a artist account. This is because
smaller artists will be encouraged to put their songs up once listening to other artists. If more songs
are available to download, more songs will be downloaded possibly, and the site will make more
profit.


12 Server Details

Server IP address: 134.36.36.190 (VistaLabPC020)

MySQL username: root, Password: password

A website user account, Username: marc, Password: marc




                                                   11
13 Security Report


13.1 Nessus scan


To assess the security of a fellow student’s site I started out by running Nessus Client on a default
scan policy. I edited this scan policy so that a full and thorough scan took place.

This report can be view in the attached HTML document, named “scan.html”.

The report revealed 6 open ports, 20 low vulnerabilities and 0 medium or high. I will now discuss
these in the following pages.

13.2 Ports


       http(80/tcp) – This port is required to be open, to run the website. However, one of the
        vulnerabilities on this port is that some directories can be enumerated (discovered by
        dictionary attack). The /_vti_bin is used for ASP to deposit code on the server and /styles,
        which I assume will have the style sheets in it. This provide no risk, however, it maybe
        possible to guess script names in here, to run, and this could be hazardous.
        Another discovery on this port is that the server is likely to be IIS 6.0 –SP1 Although this
        itself is not a risk, if an exploit is found, and is not patched instantly, the exploit could be
        applied to the server, with more confidence it will affect it.



       Netbios-ns(137/udp) allows capture of system information, no risks, however should have
        been removed. It can be removed by following the procedure in section 5.

       Netbios-ssn(139/tcp) SMB server runs here. It can be removed by following the procedure
        in section 5.

       https ( 443/tcp) most vulnerabilities are unpreventable, for example public key data. There is
        one vulnerability which has a risk factor, of low (not none) which is that the IIS NTLM web
        server is running, and it may be possible to exploit authentication schemes, which are used
        for confidential web pages. These is however no fix available for this as of yet, this should
        be kept an eye on however, for a patch, when it is release.

       MySQL(3306/tcp)There are no vulnerabilities on this port, however this should not be open
        at all. This can be disabled in the MySQL GUI administrator, as described in section 7.1.

       Ms-wbt-server(3389/tcp) No vulnerabilities, however is a unused port, so should be shut
        down.




                                                    12
13.3 General vulnerabilities & website


       In general/tcp vulnerabilities, it is shown that tcp timestamps are being implemented, and
        can potentially lead to host corruption. To attempt to ensuring upheld security and
        reliability, this should be shut down.

       SSL- switching between SSL and HTTP is seamless, very smooth. However I feel some
        directories could be taken out of SSL, to reduce the load on the server, for example browse
        artists.

13.4 Security conclusion


Overall the security of the system is good, however, several ports should be closed, to pre-empt any
problems/bugs on these ports.




                                                 13

								
To top