Best security practices for internal-only Wiki

Why register for free on WebRadiance?

Welcome to WebRadiance forums! WebRadiance is a place for discussion and help on a large range of web design and development related topics such as HTML, CSS, ASP & .NET, PHP and SEO. It is provided for free, without ads and is a friendly place for beginners and professionals alike. By joining us today you can take part in our rapidly growing community.

Registering enables you to:

have your say by posting new messages and taking part in topics and polls
keep up to date with the latest news and trends in the web design and development world
send private messages to other members
have your questions answered by our knowledgeable community
add a link to your website in our links area
receive emails when someone replies to your posts

Login Name (?)	Password (?)	Email (?)
Display Name (?)	Confirm Password (?)	Confirm Email (?)
Secruity Code (?)
I have read, understood and agree to these rules and conditions (View Terms)

Updated on 4th January 2008

We encourage you to participate in the WebRadiance Community, however as with all social circles, there are a few rules you must abide by in order to maintain your membership within these forums. We are trying to provide the highest quality community experience for our members and following these rules is the best way to maintain a quality environment for everyone.

If we find that you break any of these rules, your account may be disabled and your posting privileges removed.

Section A: Posting & Personal Messaging Rules

You will not post any messages, or links to content, that is obscene, vulgar, sexually-orientated, hateful, threatening, or otherwise violates of any laws
No double posting; keep your question in one section
Posts in a particular forum section and/or thread need to stay on topic
Never make a post simply to increase your post count
DO NOT POST IN ALL CAPS
Be respectful to other members
You will not recruit WebRadiance members for other forums
Individual sub-forums may have additional rules. These will be displayed at the top of each sub-forum

Section B: Spam

Users will not spam the forum through repetitive posting, or its members through the PM system

Section C: Usernames/Accounts

Your member name cannot contain profanity
Your member name cannot contain advertising or a company name that is not your own
Your member name cannot be an attempt to impersonate another member
If restricted/banned, you will not register a new account to obtain freedom to post

Section D: Signatures

One line of text only
In the one line of text, only one external link is allowed
No images are allowed

Section E: Avatars

Images must be suitable for all ages
Images may not be more than 15kb in size

Section F: Advertising

You cannot post with the intention of selling and/or promoting yourself, a product, or another web site
Your member name cannot be a blatant advertisement

Section G: Report Posts

You must not abuse the Report post feature. Blatant abuse will not be tolerated.

Section H: Site/code

Do not attempt to hack the site
Do not post compiled code, but source code is allowed.
Do not attempt to gain access to another member's account or any restricted areas of the web site

Section J: Administrators/Moderators

Members may never request to become an administrator or moderator
Any decision made by one administrator or moderator can be appealed
Any decision made by all of the Administrators is final

Section K: General:

Rules that are considered common sense or implied by the community also apply
These rules can be modified at any time by the administrators, so check back regularly

Best security practices for internal-only Wiki,

Options

Marc Amos View Member Profile Find Member's Posts	Jun 26 2008, 12:33 PM Post #1
W.R. General Group: Administrators Posts: 2,799 Joined: 4-April 06 From: Massachusetts - USA Member No.: 5	Hey all, I'm looking for advice on security ... I've a Wiki on my business website, hosted on a VPS, that's currently protected with .htpasswd and a fairly healthy username / password combination. Before I put any real sensitive information in there, I wanted the opinion of others (anybody with more system security knowledge than I have) who can tell me if there is anything more secure than .htpasswd I should be doing. I think I can setup my Wiki to not allow anybody to read anything beyond the home page before they log in with Wiki-based credentials, and if that's true, then I'll have both .htpasswd & individual Wiki username / password security before someone can read the content, but, again, I wonder what is the best way to do this. I can't limit entry to specific IP addresses, because the few people I want to grant access to are spread all over and have dynamic IP addresses. So, is what I've got as good as it gets, or can I get more secure considering my circumstances? -------------------- Writing on markup, CSS, and other web geekery Professional, accessible, and search engine friendly web site development by Boston Web Studio

TJSingleton View Member Profile Find Member's Posts	Jun 26 2008, 01:35 PM Post #2
Allegedly Legendary Group: Members Posts: 512 Joined: 31-July 06 From: Winder, GA Member No.: 11	1st question is it being served over ssl? -------------------- Unique Web Design and Development

Catalyst View Member Profile Find Member's Posts	Jun 26 2008, 02:02 PM Post #3
Codesmith Group: Administrators Posts: 946 Joined: 4-April 06 From: San Diego Member No.: 3	With security you have to look at the data you're storing and then ask yourself how much effort securing that data is worth. It might be worth weeks of work locking everything down if you kept credit card info on there, but if it's just say client phone numbers then you'd just want to make it inconvenient to get into. Or said another way, how much effort is someone likely to put into getting to what you're storing? You can encrypt your data, use SSL, all sorts of stuff, but unless you've got time to kill or that data is truly that important it may not be worth going that far. Someone probably emailed you the data at some point so the data has already been exposed at some level to a determined black hat. Anyway, that was fairly general. I think specifically you need to look at exploits against you platform, and more importantly exploits against the wiki you're running. And by far the biggest security flaw is the other people you're giving access to the wiki to. Google your wiki software for security issues. Wikipedia was hacked last year for example. Generally I'd say .htaccess, a good user/pass, and turning off public viewing of the wiki is a reasonable combination so long as everything is patched up and configured correctly.

Marc Amos View Member Profile Find Member's Posts	Jun 26 2008, 02:54 PM Post #4
W.R. General Group: Administrators Posts: 2,799 Joined: 4-April 06 From: Massachusetts - USA Member No.: 5	QUOTE (TJSingleton @ Jun 26 2008, 02:35 PM) 1st question is it being served over ssl? Nay, basic http QUOTE (Catalyst @ Jun 26 2008, 03:02 PM) With security you have to look at the data you're storing and then ask yourself how much effort securing that data is worth. It might be worth weeks of work locking everything down if you kept credit card info on there, but if it's just say client phone numbers then you'd just want to make it inconvenient to get into. Or said another way, how much effort is someone likely to put into getting to what you're storing? You can encrypt your data, use SSL, all sorts of stuff, but unless you've got time to kill or that data is truly that important it may not be worth going that far. Someone probably emailed you the data at some point so the data has already been exposed at some level to a determined black hat. Anyway, that was fairly general. I think specifically you need to look at exploits against you platform, and more importantly exploits against the wiki you're running. And by far the biggest security flaw is the other people you're giving access to the wiki to. Google your wiki software for security issues. Wikipedia was hacked last year for example. Generally I'd say .htaccess, a good user/pass, and turning off public viewing of the wiki is a reasonable combination so long as everything is patched up and configured correctly. As for the content/data, it's things like access credentials to my client's servers via VPN and/or FTP, so it's more crucial than phone numbers, and not far from as crucial as credit card numbers. I'm using media wiki (wikipedia's choice) ... I may just stick with a slick username/password combo and turn off read access, via the wiki, to all except registered users. -------------------- Writing on markup, CSS, and other web geekery Professional, accessible, and search engine friendly web site development by Boston Web Studio

TJSingleton View Member Profile Find Member's Posts	Jun 26 2008, 04:45 PM Post #5
Allegedly Legendary Group: Members Posts: 512 Joined: 31-July 06 From: Winder, GA Member No.: 11	If your not using ssl then the traffic is still viewable - if someone is listening in between your server and your computer they will see the data in plaintext. ssl will prevent that. -------------------- Unique Web Design and Development

haku View Member Profile Find Member's Posts	Jun 26 2008, 06:50 PM Post #6
日本語 Ninja Group: Staff Posts: 646 Joined: 21-September 07 From: Yokohama, Japan Member No.: 616	Though the likelihood of that is fairly minimal. It's not easy for someone to piggy back onto your signals. That being said, with particularly sensitive information (which it sounds like this is), it would probably be worth buying an SSL certificate. Wiki software also isn't that great security wise. It works, but honestly, you would be better off with something else, maybe some CMS software. But, with the .htaccess and the wiki software set to non-public viewing, you should be ok for the most part. Someone would have to be pretty determined to want to get at your stuff to be able to do it. -------------------- Jaypan Dudes Japan

Sirkent View Member Profile Find Member's Posts	Jun 27 2008, 03:38 AM Post #7
Loose bits sink chips Group: Administrators Posts: 2,068 Joined: 4-April 06 From: Kent, UK Member No.: 2	I would be more concerned about the security of any of your other software running on your server. If other software is compromised and an attacker gains access to (let's say) run his own PHP, then he could remove all of your restrictions very easily. If you're not worried about http eavesdropping (and don't want to move to ssl) then simply ensure that other software on your server is well maintained. -------------------- QUOTE(benbramz @ Aug 17 2007, 07:44 AM) Ive noticed that quite a few people are now adding quotes from the board into their signature. I think its started an new web-radiance craze.. :P

JPMitchell View Member Profile Find Member's Posts	Jun 27 2008, 07:36 AM Post #8
Allegedly Legendary Group: Staff Posts: 834 Joined: 26-July 06 From: Fort Wayne, Indiana Member No.: 7	This is extremely informative. Marc let us know what solution you arrive at so others may have additional options. -------------------- Writings about everything related to your web design business. My Unique Web Design and Development Company.

« Next Oldest · Domains & Hosting · Next Newest »