ASP security?
Results 1 to 6 of 6

Thread: ASP security?

  1. #1
    Junior Member
    Join Date
    May 2004
    Posts
    22

    ASP security?

    What are some ways to secure a database on a webserver that is written to by ASP? I have set certain permissions through IIS and through the folders that host the database but i feel that this is not enough. Any suggestions?
    thanks

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    What about passwords? Have you set up strong passwords for your database?

    The ASP page writes to the database with a username and password. Have you made it something other than sa? (For MS SQL)
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    1. Audit the code thorougly for common development mistakes (SQL injection vulnerabilities).
    2. Read: http://www.microsoft.com/sql/techinf...gsqlserver.asp
    3. Sign up for related mailing lists for security announcements.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  4. #4
    Shadow Programmer mmelby's Avatar
    Join Date
    Jul 2002
    Location
    Ft. Myers, FL
    Posts
    291
    A couple of things I do are:

    Make sure the database is NOT within the website. I put my inetpub folder on the D drive and create a database folder on the same driva and at the same level. Then set NTFS permissions for the web anonymous user only. That way you can only get to it usinf ODBC.

    Make sure you use strong passwords on your database.

    Make sure you use field validation on any fields used to generate requests to your database.

    DO NOT put your passwords in the global.asa file. You can get pretty creative as to how you manage your passwords. Some people store them in a different database file and reteive them using server side code then put them in variables. Some try to mask them with common names. There is some sample code at the good ASP sites like www.asp101.com, www.aspfree.com, and www.planetsourcecode.com.

    Hope this helps.

    m2
    Work... Some days it's just not worth chewing through the restraints...

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    1. Ensure that no attacker can possibly access the database directly, i.e.
    - For file-based databases like MSACCESS and text files, ensure they are not accessible via a web or FTP server
    - For server-based databases like MSSQL, ensure that the server does not allow access over the internet

    2. Make sure your application is not vulnerable to SQL injection, or other attacks (NB: this is generally non-trivial)
    3. Take all other normal precautions, i.e. using a firewall, virus checker, and keeping systems patched

    Slarty

  6. #6
    Junior Member
    Join Date
    May 2004
    Posts
    22
    Thanks for the help guys

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •