May 10th, 2004, 03:59 PM
What are some ways to secure a database on a webserver that is written to by ASP? I have set certain permissions through IIS and through the folders that host the database but i feel that this is not enough. Any suggestions?
May 10th, 2004, 04:09 PM
What about passwords? Have you set up strong passwords for your database?
The ASP page writes to the database with a username and password. Have you made it something other than sa? (For MS SQL)
N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)
May 10th, 2004, 09:02 PM
1. Audit the code thorougly for common development mistakes (SQL injection vulnerabilities).
2. Read: http://www.microsoft.com/sql/techinf...gsqlserver.asp
3. Sign up for related mailing lists for security announcements.
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
May 10th, 2004, 09:18 PM
A couple of things I do are:
Make sure the database is NOT within the website. I put my inetpub folder on the D drive and create a database folder on the same driva and at the same level. Then set NTFS permissions for the web anonymous user only. That way you can only get to it usinf ODBC.
Make sure you use strong passwords on your database.
Make sure you use field validation on any fields used to generate requests to your database.
DO NOT put your passwords in the global.asa file. You can get pretty creative as to how you manage your passwords. Some people store them in a different database file and reteive them using server side code then put them in variables. Some try to mask them with common names. There is some sample code at the good ASP sites like www.asp101.com, www.aspfree.com, and www.planetsourcecode.com.
Hope this helps.
Work... Some days it's just not worth chewing through the restraints...
May 10th, 2004, 10:48 PM
1. Ensure that no attacker can possibly access the database directly, i.e.
- For file-based databases like MSACCESS and text files, ensure they are not accessible via a web or FTP server
- For server-based databases like MSSQL, ensure that the server does not allow access over the internet
2. Make sure your application is not vulnerable to SQL injection, or other attacks (NB: this is generally non-trivial)
3. Take all other normal precautions, i.e. using a firewall, virus checker, and keeping systems patched
May 11th, 2004, 10:30 AM
Thanks for the help guys