Law #4: If You Allow A Bad Guy To Upload Programs To Your Website, It’s Not Your Website Anymore

This is basically Law #1 in reverse. In that scenario, the bad guy tricks his victim into downloading a harmful program onto his computer and running it. In this one, the bad guy uploads a harmful program to a computer and runs it himself. Although this scenario is a danger anytime you allow strangers to connect to your computer, Website are involved in the overwhelming majority of these cases. Many people who operate website are too hospitable for their own good, and allow visitors to upload program to the site and run them. As we’ve seen above, unpleasant things can happen if a bad guy’s program can on your computer.

If you run a website, you need to limit what visitors can do. You should only allow a program on your site if you wrote it yourself, or if you trust the developer who wrote it. But that may not be enough. If your website is one of several hosted on a shared server, you need to be extra careful. If a bad guy can compromise one of the other site on the server, it’s possible he could extend his control to the server, itself, in which he could control all of the sites on it-including yours. If you’re on a shared server, it’s important to find out what the server administrator’s policies are. (By the way, before operating your site to the public, make sure you’ve followed the security checklists for IIS 4.0 and IIS 5.0.