OK, i have very poor knowledge of web systems and how secure the files are or where they need to be put to be as secure as possible. I would like to be able to have an authentication login page which links back to the windows server to verify the users credentials. i have considered various ideas but cannot make a decision due to lack of knowledge. I dont want to expose anything unnecessarily (ports, url's etc) so can anyone throw a few solutions inito the mix ? PHP, CGI , LDAP ,using something on the IIS7.5 side of the local server ? TIA

Since you have many questions (and I am sure more as they get answered), I would recommend that you post questions on the Microsoft Official forum for IIS and ASP.net http://forums.IIS.net http://forums.ASP.net Guides and tutorials, visit ITGeared.com.

i understand what you are saying but this was a more general question because the offsite sites are running on (i believe) apache boxs under word press - i dont have the time to sift through a whole load of wordpress info to see what it can do and i think this is more likely to need a front end to do the authentication, but as so many technologies are available, i wanted a lsightly wider point of view. if i do no good here i will definatley try the forums you suggested.

So at a general high level, IIS could provide a variety of authentication schemes, one being Windows authentication. However, if you plan on authenticating the users from a database table, you'll enable basic authentication and use forms. On the website end, the code you pick is up to you. Asp.net is my recommendation, mostly because I am very familiar with it. If this is running on apache, the links I provided above wont do you much good. You'll have to go to an apache forum. Regardless of the web server system that you use, you will need at a very minimum, port 80 for HTTP. If you secure the web (at least login page), you'll need to allow 443, HTTPS. If the web pages (files), DB you need to access are on the same web sever, no other ports are required. If the DB is remote, then you'll need 1433 if you are running MS SQL. For other DBs, you'll need to check their documentation. Unfortunately, there are many ways to do this and alot of options. I don't see how you can move forward without spending some time on researching this in more detail. Guides and tutorials, visit ITGeared.com.

So at a general high level, IIS could provide a variety of authentication schemes, one being Windows authentication. However, if you plan on authenticating the users from a database table, you'll enable basic authentication and use forms. On the website end, the code you pick is up to you. Asp.net is my recommendation, mostly because I am very familiar with it. If this is running on apache, the links I provided above wont do you much good. You'll have to go to an apache forum. Regardless of the web server system that you use, you will need at a very minimum, port 80 for HTTP. If you secure the web (at least login page), you'll need to allow 443, HTTPS. If the web pages (files), DB you need to access are on the same web sever, no other ports are required. If the DB is remote, then you'll need 1433 if you are running MS SQL. For other DBs, you'll need to check their documentation. Unfortunately, there are many ways to do this and alot of options. I don't see how you can move forward without spending some time on researching this in more detail. Guides and tutorials, visit ITGeared.com.

as far as i am aware the webside servers are using Apache. They also allow PHP and Ruby, but i am unsure if ASP is supported but find this unlikely. My cocnerns are more to dfo with exposing server information when doing the authentication and what implications, in terms of security, would i have to be aware of if i were to install a PHP version onto the windows/exchange server. We already have code in PHP that will do the authentication through our existing win2k server using LDAP, but we currently host the websites in house so everything is done server side and no information goes outside the intranet. Moving our sites to offsite servers is where the problem arises. I am aware of the ports you pointed out as we already use these at the moment albeit behind a Firewall which manages the redirections. If this is the wrong place for this i, apologise and would be happy to repost ( after some further research my end) if you could point me in the right direction.

Yes, I would suggest that you repost in a security related forum, or PHP forum. From a footprint perspective, yes.. the more app/services that run on a system, would generally increase the chance of a vulnerability being exploited. I am not sure if you are going to get alot of detailed feedback in an MS forum for PHP related questions, not because no one will want to help, but rather because the technical expertise may be more limited. I for one have very little experience with PHP. Other than some light PHP coding and just knowing best practices with regard to security in general, I could not tell you which version of PHP is more secure or how to securely code PHP. I would tend to think that the same coding practices would exist regardless if its PHP or ASP.net. Guides and tutorials, visit ITGeared.com.