Securing Admin Page Under Windows

[TT2by2]

I got through my first stumbling stone in a previous thread. Now another issue I am concerned about.

 

How does one secure the admin section? I see no place to set an administrative password or secure it in any way. Anyone can to to the /admin section and poke around freely. What's the best way to do this? I'm running IIS on win2k Advanced Server.

 

Thanks again!

[♥Vger]

First thing to do is to rename the 'admin' folder to something unique, which no one else can guess. Then go into the admin(newname)/includes/configure.php and you'll find several file pathways to /admin/ and you need to change these to refllect the new name. This will give you some protection.

 

Next, go to your web hosting control panel, and see if they have a 'Password Protect' or 'Protect Directories' feature and if they do then use that to protect the renamed 'admin' folder.

 

Finally, if you have ssl, even a shared ssl, then you can set all file pathways to http:// to https:// in your admin/includes/configure.php file, and this will put all of your 'admin' folder behind ssl encryption.

 

Vger

[TT2by2]

Thanks for the response. I host my own, and have local access to the server. I don't have a web-based control panel, as I don't offer public hosting, and didn't see the need for it. I have changed the /admin path to a very unique name, and nobody could possibly guess it. I do not have SSL config'd yet. Is there a way I could password protect the admin directory only, leaving the rest of the web open through the IIS settings? I guess I'll have to experiment with that. Any other ideas I missed would be helpful though.

 

Thanks

[♥Vger]

Place a .htaccess file in the 'admin' folder with code that requires a user name and password. Do a search on the web and you'll come up with plenty of examples.

 

Vger

Thanks for the response.  I host my own, and have local access to the server.  I don't have a web-based control panel, as I don't offer public hosting, and didn't see the need for it.  I have changed the /admin path to a very unique name, and nobody could possibly guess it.  I do not have SSL config'd yet.  Is there a way I could password protect the admin directory only, leaving the rest of the web open through the IIS settings?  I guess I'll have to experiment with that.  Any other ideas I missed would be helpful though.

 

Thanks

<{POST_SNAPBACK}>

[portalplanet]

I use the "admin access with levels" contribution and also make sure SSL is used for the admin area.

 

Justin

[TT2by2]

Thannks again for the tip.... I googled a few keywords and found this: http://www.troxo.com/products/iispassword/

 

It worked like a charm!! It easily secures/password protects folders in IIS using the HTACCESS files. Exactly what I needed.

 

Once again, thanks!

[unangst]

I don't have a web-based control panel, as I don't offer public hosting, and didn't see the need for it. 

 

Neither did I... until I stumbled across Jamie Cameron's Webmin. Webmin is an easy, browser-based Linux administration system - it's simple to use, yet packs quite a punch. I come from an education background and was looking for ways to simplify my life as well as remove some of my newbie server administration frustrations.