Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...How secure is DNN?How secure is DNN?
Previous
 
Next
New Post
8/24/2011 3:08 PM
 
April Spence


devcentral.f5.com
Joined: 11/4/2005
Posts: 562
Security begins with proper awareness & planning and is implemented through continued managed policy execution. The reality is that DNN (or any platform) will always be susceptible to attack left unchecked, or in many cases, even monitored. Unfortunately most smaller sites are spooled up and left alone to fend for themselves and the only time anyone knows something went wrong is when the site is down or the content's changed, you get your domain blacklisted for relayed spam or your hard drive is full because you just became a new warz server.  This is especially true if your hosting without a net...meaning your host provides pipe and ping and will rack or allocate a box for you...but draws the line at the most basic network and OS server layer.

A security policy should cover every later of the stack not just the [DNN] app and yes should include the often overlooked and already pointed out "human" layer.

Making sure your networking, firewalls, traffic monitoring, attack signatures, operating system, database, application and user and admin policies are all kept up to date, are managed and monitored proactively can be a daunting task - but will improve your awareness of attacks and vulnerabilities. Once you know what's happening or "could" happen you can work to mitigate the vulnerabilities at the most appropriate layer (block an IP, add CAPTCHA, turn off China, etc).

In many organizations this represents entire teams and lots and lots of gear in others you can outsource this to your provider or a company like white hat. In all cases however you need to think about security as a lifestyle, pay as much if not more attention to it as you do SEO and content and establish a plan to constantly evaluate and mitigate vulnerabilities.


Steven Webster
Manager, Community Platform
F5 Networks, DevCentral
 
New Post
5/27/2012 7:24 PM
 
Dwayne Baldwin


Joined: 4/21/2004
Posts: 589

About a year later, are you still uncomfortable?

Have you seen or heard of any negative effects from this configuration?

The permissions only run under the context of IIS, using the app pool identity within the web app itself. Remove the write permissions and you will probably break required functionality. Otherwise, DotNetNuke is as secure as one makes it.

 

Dwayne J. Baldwin
 
New Post
12/14/2012 5:26 AM
 
Jeffrey Mason

Joined: 2/12/2010
Posts: 1
I'm wondering if there are any financial institutions that use DotNetNuke as a platform in which financial transactions are taking place.

In addition, are there any techniques documented for DotNetNuke that provide a physically separate container separate from DotNetNuke that provide a higher level of security, or at least isolation. This would be to ease regulators and security teams minds about security because the financial transactional modules within DotNetNuke would actually be executing within a separate and more secure container than the DotNetNuke.

I'm not implying that DotNetNuke is not secure, but my little bit of security experience says that security folk are more at ease when financial modules are isolate from a public website.

Bottom line is how do you ease the minds of financial services security personnel that DotNetNuke is secure. My 1st thought is the above by allowing a financial institution to execute their financial transaction modules in their own container that they know is secure while embedding those financial modules in a DotNetNuke platform to be able to take advantage of all the great features, themes, modules, extensions of DotNetNuke.
 
New Post
12/14/2012 12:24 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676

FYI there is a list of some of the customers of PE/EE at http://www.dotnetnuke.com/Customers.aspx , with around 100 financial services organisations that use DotNetNuke (there are other customers and many users of the free addition also)

As to security, in general we are well regarded with a relatively small number of annual security issues (with typically only 1 or 2 being critical) - you can see this at http://security.dotnetnuke.com . The wiki has some other useful information at http://www.dotnetnuke.com/Resources/W... , the OWASP analysis is particularly useful. On the security page there is also a downloadable document at the bottom that acts as a guide for hardening dotnetnuke installs.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
 Page 2 of 2
Previous12 
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...How secure is DNN?How secure is DNN?


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out