locked
security by obscurity? RRS feed

  • Question

  • User-1225226813 posted

    Hi all, This is maybe more of an ethical security question. but its IIS related..

    I've been asked to put an existing internal (web forms) aspx application securely on to the internet.

    I am re-writing this as an MVC app but its going to be a good 9 to 12 months before its ready.

    Now, I've added tables for logins, and implemented forms authentication.

    Now an interesting security feature.. As an extra layer of security, I'm considering adding this to the internet but without an online DNS entry. This is so no one will every find it??  Each user has a company pc/laptop which I can roll out a hosts file entry to the online application name/IP address.

    my question: is that secure enough to prevent a hacker from finding it, getting in?  hiding the site so it cant be discovered and forms authentication.

    tia D

    Wednesday, March 10, 2021 8:48 PM

All replies

  • User1535942433 posted

    Hi DDH01,

    If you need to add application to the internet without an online DNS entry, it's ok. You could use public IP address or  host files.

    However,these are meaningless. Since you have a public application,everyone including about hackers always could find your IP address.

    If you need prevent hackers to attack you,you could close the application when you don't use it.

    Best regards,

    Yijing Sun

    Thursday, March 11, 2021 4:08 AM
  • User-1225226813 posted

    Thank you for the reply yij. 

    Sure, I understand your point. I'm not too fussed that they can find an ip on the network. I already have a number of sites running on the same iis server. 

    I want to know if they can find the site without the binding name?

    My understanding is that the site isn't presented unless you know the url and ip. If the hacker doesn't know the binding address, can they still find the site?

    Tia

    Thursday, March 11, 2021 8:14 AM
  • User1535942433 posted

    Hi DDH01,

    DDH01

    I want to know if they can find the site without the binding name?

    The name means domain name? If you don't bind domain name, the hacker still find your ip randomly. However the probability of being attacked is reduced.

    Best regards,

    Yijing Sun

    Thursday, March 11, 2021 9:21 AM
  • User753101303 posted

    Hi,

    If used only from machines on which you can deploy a host file can't you use a VPN rather than exposing the site on the internet?

    As I see things, security can always be improved. It's likely best to start with assuming your site is found and see what you are doing next to counter that rather than by thinking a hacker will never find your site IP. For example will you use http or https ?

    Thursday, March 11, 2021 9:43 AM
  • User-1225226813 posted

    Hi thanks for the response.

    I think the question has been misinterpreted. 

    I don't mind if hackers know my ip addresses. I want to know if the site on iis can be hacked if the hacker doesn't know the binding address.

    I have 4 sites running already on one iis server. Each of these have a binded url. So they are visible. 

    If I publish a website with a hidden binded url, can a hacker find it if they dont know the url. It would only exist on the end users pc.

    Tia

    Thursday, March 11, 2021 9:47 AM
  • User475983607 posted

    What is a "hidden binded url"?

    can a hacker find it if they dont know the url. It would only exist on the end users pc

    Are you asking about a development machine?  If so, no.  A hacker cannot find the dev machine unless you expose the dev machine's IP address to the Internet.  

    Thursday, March 11, 2021 11:26 AM
  • User-1225226813 posted

    Hi, thanks for the response.

    No a live production server on the internet.

    In iis, you can have multiple sites on one server.. only the default site will respond via ip. All other sites on iis need a binded name. 

    If you right click on a site in iis, and select 'edit bindings' you can add /change the url that the site will respond to.

    Now, on the internet if you dont have a DNs entry back to your server. Can anyone find that site?? 

    Thursday, March 11, 2021 11:41 AM
  • User753101303 posted

    A machine could be stolen. Also it is sent in clear text with each and every request (for example https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications). It might leak as part of a screenshot or from a video meeting etc...

    Anyway if you can handle that easily just go for it but don't stop here and still ensure to protect the site as if it was discovered (or in case you would change your mind for some reason, such as a company merger. Using logs you should be able to see if at one point you start to see unexpected http requests.

    On my side I would likely never do this because it would be very low on my list to favor instead measures I could take assuming the site was discovered and is under attack.

    Thursday, March 11, 2021 1:01 PM
  • User-1225226813 posted

    Thanks for the response PatriceSc.

    It's a temporary measure whilst I rewrite in mvc and use azure auth. 

    I'm also going to see if all remote users have static IPs, then restrict access via a firewall 'allow list' too.  Just covering as many bases as possible.

    Thanks for that link, I'll have a read.

    Thursday, March 11, 2021 1:07 PM
  • User475983607 posted

    Now, on the internet if you dont have a DNs entry back to your server. Can anyone find that site??

    I'm not sure if I understand your question or how you configured the IIS applications.  I assume you are using "Require Server Name Identification" in IIS.  If you put a name in the box and there is no DNS entry then an outside hacker cannot find the site.  Neither can anyone else unless you update the client machine's hosts file.  

    Thursday, March 11, 2021 1:10 PM