[PLUG] best practices

drew wymore drew.wymore at gmail.com
Sun May 24 07:27:30 UTC 2009 

<snip>

>
> Ed
>
> 1. The customer wants users to be able to contribute content
>    to their Web server, which runs Apache and MySQL on Linux.
>    Most of the time, this means users saving PDF documents
>    to the Web server so other users can access them via their
>    browsers.
>
>    He has Samba running and has configured the Web site's
>    DocumentRoot to be a Samba share. Every user in the
>    company can now access all the Web site data. The
>    MySQL tables are not in DocumentRoot but there are PHP
>    files in the DocumentRoot that access the tables. I'm
>    guessing he thinks he'll control security by only mapping
>    drive letters for certain users.
>
>    I mentioned to the customer that this is a significant
>    security issue and that there are more secure ways for
>    users to contribute content but he is unconvinced (see
>    item 2).
>


Using a Samba share like this could pose huge risks if a virus gets
involved. It could potentially write to the webserver depending on what it
was. I actually had this issue waaaaaay back in the day and learned my
lesson the hard way.

Perhaps something like setting a Subversion repo would be a reasonable
alternative since there are Windows GUI tools available and SVN are web
accessible and can be easily controlled in regards to access that are much
more prudent than drive mapping.


>
> 2. The customer ignores security issues because:
>
> a) He claims they are on a "private network"; they are safe.
>    The Web server serves only internal users; it cannot be
>    accessed directly from the Internet. However, their
>    "private network" is not private in the sense of NAT
>    and RFC1918 private addressing. Everyone in the company
>    has a public IP address. Every desktop computer runs
>    Windows with the usual complement of Windows applications.
>
>    Their border gateway/firewall provides insulation from the
>    outside but I'm able to use a variety of protocols, such as
>    SSH, to make connections to hosts on the Internet from
>    their network. He seems to be unaware of threats that
>    originate from the inside.
>
> b) Their virus scanners are up to date.
>
>
This is less of an issue from a security standpoint given there is a router
in place, provided the router is secured properly.

Drew-

More information about the PLUG mailing list