Tips Securing Your DNN Website
DNN is the most powerful asp.net CMS software that's loved by millions of users and communities. The DNN local communities exist in most countries with different languages support. There're many people living by dnn development on modules and skins. It's also very good learning platform for .net programmers. Because of it's leadership in asp.net, it's crucial to understand some security tactics in using this software. We have been worked with DNN since 3.2 and supported lots of dnn clients on live hosting service. Following DNN security tips are generated from our daily experience and professional suggestions in DNN community.
Security is started before your initial dnn installation. As suggested by this article, DNN keeps user password via encrypted format and we can improve it using hash. But we must edit configuration file before installation. Also, unless you have a blade fast hosting server, we highly suggest install locally first then move to hosting space. From our experience, dnn installation wizard can fail easily. In case you get unsuccessful installation, the wizard can be restarted when people browse to your domain.
By default, DNN provides two user accounts admin/host. Actually we can change the two user id to anything else and apply enhanced password policies. DNN can be auto installed by various installers nowadays but we highly recommend to install manually so you can understand the entire process and secure the installation as much as possible.
Captcha is great feature to reduce spam registration and submission on your DNN site. Captcha is a built in feature and it can be enabled via admin user login. In case you run into problems to enable this feature, this article should help fix it. There're also multiple official articles on how to customize the captcha image, just make a bit research and you'll be surprised how fantastic it is.
Set proper file permission
DNN is programmed on asp.net platform that highly rely on "networkservice" this user account to work with. We must grant "RWXD" permissions to this user to ensure everything can work fine. However, we should restrict other user accounts permission correctly or else it will bring big security issue. We highly recommend to follow this official tutorial to configure the right file permissions.
Do not use sql express
SQL express is the free edition of sql server service. We don't recommend use it for your live website. Not just for performance but also refers to daily maintenance. Since both website files and database are located on the same server, any misconfiguration might bring big security issues. For enterprise website purpose, full version sql server is a must because it's configured on dedicated sql server environment. As we know, the less service on server, the more secure it is.
Use reliable module/skin resource
Because lots of developers live by module/skin development, there're many dnn resources we can get. However, we must find a reliable provider because each developer has different programming skills. The script design decides its overall secure level directly so we must pay good attention to it. DNN now provides official store for commercial skins/modules. All of their products are verified by DNN official team for guaranteed performance and security. If you need commercial solutions, their official store should be primary consideration.
Check DNN Logs
You don't have to login hosting server for website logs. DNN has built in log system to record all server end and onsite activities. You can view how your website be accessed and which user logged in at what time. Check those logs often and find if there's anything inormal so you can apply necessary changes in time.
Use a reliable DNN hosting
Probably the most important part. Hosting server is the destination of all your datas so it's quite important to get a right provider in the beginning. No matter how much time it may take, we don't need to quarrel with customer support at a bad hosting service. The best dnn hosting service must be setup on latest windows server system and up to date hardware production. Network must be safe and clean with good protection over common attacks.
If you have extremely high requirements to performance and security, powerdnn might be the right place because their team members are actually dnn developers and work for DNN official! if you need budget choice, you might check out winhost who's dedicated in windows hosting service.