Products

Evoq Content Overview Content Creation Workflow Asset Management Mobile Responsive Personalization Content Analytics SEO Integrations Security Website PerformanceEvoq Engage Overview Community Management  Dashboard  Analytics  Member Profile Gamification Advocate Marketing Community Engagement  Ideas  Answers  Discussions  Groups  Wikis  Events Mobile ReadyDNN Support PackagesEvoq: CMS FeaturesEvoq OnDemandCompare DNN's CMS Products

Solutions

Content Management SystemMulti-Channel PublishingDigital MarketingOnline Community ManagementIntranet Software SolutionOur CustomersPrime

Resources

Test DrivesSchedule A DemoDocumentation CenterWebinarsWhite PapersProduct ManualsRequest PricingData SheetsCase StudiesEvoq Preferred Products Content Management Ecommerce Forms Identity Management and Authentication Site Management Social Themes

Partners

DNN Partners Partner Directory Become a DNN Partner Partner Program Overview  Hosting  Implementation  ISV  Training  Competencies

Community

Participate Ask a Question Forums Community Showcase DNN MVP  Program Overview  Lifetime MVPs  Honorary MVPs Subscribe to DNN Digest Advisory Groups  Awareness Advisory Group  Developer Advisory Group  Partner Advisory Group  Technology Advisory GroupLearn Documentation Wiki Community Blog Video Library Project History Development RoadmapDownload DNN Store Language Packs Manuals Nightly BuildsSecurity Policies Security Center

Blog

About

News Press Releases News Coverage Press KitCareersContact DNN

QA

Ideas Test

New Community Website

Ordinarily, you'd be at the right spot, but we've recently launched a brand new community website... For the community, by the community.

Yay... Take Me to the Community!

Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DotNetNuke security design questionsDotNetNuke security design questions
Previous
 
Next
New Post
1/12/2007 8:01 AM
 
Stijn Lambert

Joined: 11/10/2006
Posts: 7
Hello all,

I have a couple of questions about the design and security of DotNetNuke. I have to persuade my hosting provider that DotNetNuke is secure enough to install on their servers. I already have compiled an extensive report based on documentation, forums and code, but these I can't figure out myself:

- Is sensitive data passed between DotNetNuke and SQL Server protected, e.g. by SSL or IPSec?
- Are external interfaces to the application (i.e. to user, administrator, accessed applications, etc.) identified by the design?
- Does the design identify the identities that DotNetNuke uses to access resources across the trust boundaries (e.g. technical accounts) and the resources to be accessed per identity? Are service accounts required for application administration identified?
- Does the design employ a method for secure storage of credentials (e.g. for client and signer certificates)?

Furthermore they want to be sure all connections are returned to the connection pool after use by the core application. I presume this is the team's intention? :)

Thanks in advance for your help!

Stijn Lambert
 
New Post
1/12/2007 4:35 PM
 
cathal connolly


cathal connolly's Avatar

www.cathal.co.uk
Joined: 4/9/2003
Posts: 9676
Hello Stijn,
To answer your questions
  1. setting up a secure channel between your webserver and database server is not a web application issue, it’s a database security issue (see http://msdn2.microsoft.com/en-us/library/ms189067.aspx for guidelines on setup). You can encrypt webtraffic between the client and server by adding an SSL cert, but this must be installed on the webserver (IIS).
  2. we have a threat analysis report that does detail the access points to dotnetnuke. This was supplied by a 3rd party as part of a security penetration test. This has not been made public as it is under a non-disclosure agreement, I will see if we can get it released publicly.
  3. the “DotNetNuke Installation Guide.pdf” details the necessary service accounts and permissions required for both the webserver and sql server.
  4. by default user passwords are stored in an encrypted form and combined with a SALT value to enhance security. If you wish to use certificates to secure the site (such as an SSL cert for encrypted web traffic, or a client server for user authentication), this is someone you set up in IIS, and that is transparent to DotNetNuke.

Finally, yes, all database connections are released back to the connection pool, where they will then be disposed of automatically.

 
Thanks,
Cathal
Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
1/12/2007 8:06 PM
 
Matthew Christenson

Joined: 10/19/2006
Posts: 164
cathal wrote
You can encrypt webtraffic between the client and server by adding an SSL cert, but this must be installed on the webserver (IIS).
I am finding that this is not completely correct.  If you want to use SSL you can only have one single portal use it as a single IIS website can only have a single certificate, which means you do not have the option of using multiple portals.  I have heard of one work-around, which is to create a second, third, etc. IIS website for each portal and install its own SSL certificate but to direct it to the same DotNetNuke application directory, however the problem with this approach is that it was reported that this will cause a difference instance of the application to run for each portal, which comes with performance issues of its own.
I have started another thread seeking answers to this delema, however I have yet to receive a responce that convinces me that DotNetNuke is actually capable of handling SSL like many people seem to have claimed.

 

 If you wish to use certificates to secure the site (such as an SSL cert for encrypted web traffic, or a client server for user authentication), this is someone you set up in IIS, and that is transparent to DotNetNuke.

Again, this is not transparent to DotNetNuke as it will break the ability to provide multiple portals in the same application, which to me is one of the primary purposes of DotNetNuke.

If you have any insight that would correct me on this, I would really love to hear it.  I currently have a situation where I need to host a credit card store on multiple portals on the same DNN application; and the idea of having to host a separate web application and instance of dotnetnuke.dll for each portal scares me as the performance of DNN is already somewhat high and has not been publically tested (as far as i have found) in this type of hosting scenario.

 
 
New Post
1/12/2007 8:24 PM
 
ROB AX

Joined: 9/3/2004
Posts: 2185

And in addition, some practical advice... move to another host. If they are like this at the start then they're only going to make thing more difficult when you get things going and run into trouble. You're starting off on the wrong foot with them.

Nay-saying IT types just aren't worth the drama and there are plenty of other knowledgable hosts around.

Rob
 
 Page 1 of 1
Previous
 
Next
HomeHomeOur CommunityOur CommunityGeneral Discuss...General Discuss...DotNetNuke security design questionsDotNetNuke security design questions


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out