Planning for Security
You plan for Commerce Server 2000 security by planning how to defeat site security threats for all the features deployed on your site and by selecting the policies and tools necessary to achieve the level of security you want.
To build a site that adheres to best security practices, you need to configure Secure Sockets Layer (SSL) so that certain pages (such as pages that request credit card information) are served through SSL. To set this up, you need to get a server certificate and configure Microsoft Internet Information Services (IIS) 5.0 to use SSL. For more information, see the IIS product documentation at https://localhost/iisHelp.
In addition, you can specify a Secure Host Name for each Commerce Server application in the Microsoft Management Console (MMC). The AuthManager object uses the Secure Host Name to create links to secure pages. The links could lead to a different Commerce Server application or to a secure section of the same application.
To minimize the likelihood of a security breach, you must be able to:
Lock down the site, which means controlling access to files, pages, and applications with access control lists (ACLs) on files that use the NTFS file system (NTFS).
Control access to read, run script, and write access on various folders that are defined in your site for IIS security.
Authenticate site visitors.
The following table lists some of the questions that you need to answer to decide what to lock down, how to control access, and how to authenticate.
| Planning question | Recommendation |
| Do you need to authenticate site visitors with their Windows 2000 security context? | Include Microsoft Active Directory in your site configuration if you plan to authenticate users with their Microsoft Windows 2000 security context. |
| What type of content do you need to lock down? | If you are securing static content, you will need to use the AuthFilter Internet Server Application Programming Interface (ISAPI) filter, because the AuthManager object works on only dynamically generated content. |
| Will you require users to accept cookies? | The AuthFilter can automatically generate a cookie for new visitors to your site. |
| Do you plan to use a form-based authentication scheme? | If you are planning to authenticate users using a custom authentication scheme, you will need to run the AuthFilter in Custom mode. |
| What site architecture best meets your security requirements? | Review the firewall solution summaries inĀ Firewall Configurations and determine which solution is the most appropriate for your installation. |
See Also
Commerce Server Security Checklist