Internets and Intranets
To ensure that Internets and intranets don”t co-mingle, it is important to provide unique platforms for each. If that ca
nnot be done, try some of the following ideas.
- Place the two servers onto different ports. The default server port is 80
; some common ones besides 80 are 8080, 8088 and 8008 (obviously created by Intel fans-Ed.). If you place your intranet server on an
y port over 1024, such as port 3100 (the suite number of the floor you are on) or 6200 (the last four digits of a phone number) or e
ven an address like 62030 (as in 62030 Westbrook Lane), it is still a legitimate location for the server and it”s just very well hi
dden from access. The key to using a secondary port for the intranet server is to make it memorable to the inner office, but make it
harder for someone else to understand. - Use the controls, as explained before in the .htaccess file, to limit access to the intr
anet server from the access.conf file. While we don”t have room to discuss the access.conf file in this article, one of the many th
ings that it permits is control over what users are permitted to access what directories and what users are not. These same levels o
f control can be leveraged using .htaccess files at the directory level. If you have a proxy server providing access to the external
Web, you must ensure that the server doesn”t state that access is coming in from the internal domain. You should arrange for the p
roxy server to be on a separate subnet within the domain and use IP filtering. It is possible to spoof IPs and this could lead to a
possible vulnerability. - Use an .htaccess or access.conf to control access to the cgi-bin. In this way, an intruder could get to
static areas, but all activities that require access to the databases or to the CGI programs that access internal databases would be
limited. - In much the same way, you could use multiple cgi-bin areas to control who has access to what cgi-bin. In that case the
standard cgi-bin area would be open, but you would use .htaccess and access.conf to limit the ability of a person to access the spe
cial cgi-bin areas. Directory Listings If your system is called companya.com and there was a request to your system for an HTTP serv
ice that looked like http://www.companya.com/, the system will return a file. The file that this returns is called the default file.
When the server sees the URL above, the server checks to see what the default file is supposed to be, and it will return that file
to the user.
In most systems the default file is called index.html. This file name can be changed in the configuration file. I
t also can be a list of file names, and it will return the first name on the list. This allows the default file to be a Server Side
Include file (index.shtml) or a series of possible files {index.shtml index.html main.html README badlocation.html}. In this series
it would start looking to return the first file in the series, and would continue until it hit the last file. If no default file is
found, it will then try to index the directory if permitted. This is where things get scary, security-wise. In some cases it might b
e useful to allow someone to get a directory listing. If you are using the directory to allow people to access it like an FTP archiv
e, then it”s nice to let the system take over the listing tasks.
What about having listing on and not having a default file in
the directory, like an image library? Do you really want your image library to become a place where people from all over the net can
drop by and take images? As we have said, a directory listing can be a very useful tool (it is useful when you are doing developmen
t and want to be able to just jump around the directory loading files), but it is also something that is open to potential security
abuses. The easiest way to ensure that the directory listing services are not abused is to make sure the last filename in your defau
lt list is something like badlocation.html. Then, make sure that every directory has a file in it called badlocation.html that links
to a single file. This file should indicate to the user that he or she has come to a location that they could not have reached by f
ollowing the links on the site. (They should be aware that the owner of the site would prefer that they follow the links that you pr
ovide.)
Allowing and Disallowing Groups
.htaccess Magic
, an internet.com Web site.