October 8th, 2002, 09:39 PM
Database Access ?
Hey guys. I'm still around. I was wondering about somthing which has to do with ASP and those rotten access databases. I have a couple of security questions that maybe some people could help me with.
I've noticed that my brother keeps on bringing up how he gets alot of cgi scans. He told me their process and how they scan for certain files that could give access to their website. I was wondering is it possible for someone to detect a access database with the same theory behind cgi-scanners. Now i'm not saying that by using a cgi-scanner to find an access database I'm just wondering about the same theory applied could detect a database. Also do these people that use hacking tools have any tools that do this already?
I've also heard that people can use ASP to connect remotley to a database. Now all my databases are password protected and of course have the proper read and write permissions but still if they crack it I don't want them seeing the data inside. I'm not to sure if you can put the database outiside a web directory if it's for Online and still have it function. Is there away in ASP to block access to the database and preventing people from building asp pages to view databases? I'm really intrested in hearing about preventing these sort of things and any other ways an access database could be compromised.
October 9th, 2002, 12:01 AM
July: As far as ASP pages connecting to databases: I only have SQL knowledge. I know that you have to store the username and password in the global.asa file for the ASP pages to login and write to your database. I think that it is the same for access databases.
October 13th, 2002, 03:45 PM
There is no need to password protect your MS-Access databases. Instead, store them in a directory where people can't get them. Password protecting MS-Access databases provides only superficial security and is pointless if they're the back-end for a web site.
Keep the MS-Access database files outside the web root or any other web-aliased directory. Clearly the NT filesystem needs to allow them to be read/written to, so you cannot restrict them.
People cannot "Get" your access databases if they're outside the web root (assuming your application is written correctly, which many ASP/PHP apps aren't) so don't worry about that.
Instead make sure you take all the normal IIS security precautions: Remove all help, samples and such like. Remove all the default virtual directories and script maps. Use the IIS security tool to disable everything you don't use, and keep IIS fully patched.
If IIS is correctly set up, CGI-scans are not a worry. You will see them on your logs often as they are mostly made by worms. You cannot stop them, but instead be happy with the knowledge that they cannot affect you
On a side note, MS-Access isn't suitable for anything other than the lightest of web work, and you should consider changing to a more scalable database if there is any volume of traffic.
October 13th, 2002, 09:36 PM
What does CGI Scanning have to do in accordance with MYSQL database's or ASP server sheets? I'm just curious because I rarely work with MYSQL or ASP for that matter. Also, if anyone can point me in the direction to a few tutorials about either, that would be great.