Database Security

I suggest you keep the password protection on your database for maximum security.

In theory, if a anonymous user knows the path to the database, they can download the database file.

quote:Originally posted by tunnel

Hi. I'm new to discountasp. Just uploaded aspnet site with Jet OLEDB (Access) databases assigned with passwords. Now, do I need these? From what I can tell by trial-and-error, others can't access my database contents or download them (am I right???) so I'd like to get rid of passwords ... they're a bit difficult to manage during continual site enhancement.

Thanks for any help!
Graeme []
</blockquote id="quote"></font id="quote">

 

Well...

Say if you database file name is northwind.mdb and is located in the root directory.

You can download the file by going to http://www.yourdomain.com/northwind.mdb. Once you download the file, you can just open it.

quote:Originally posted by tunnel

Thanks Bruce. Can you tell me more? From what I can tell, anon users can't ftp-download my files and can't view them through browser. Maybe I'm wrong, but I haven't managed to! How can they view table contents?
Thanks again.
Graeme
</blockquote id="quote"></font id="quote">

 

It depends on which server your site is located.

With IIS 5.0, we configure URLScan to block off .mdb download. Such feature is not available with IIS 6.0

If it shows 404, then mdb download is blocked off by URLScan.

quote:Originally posted by tunnel

Well, that's exactly what I CAN'T do! -well, haven't yet managed, as I get the old "HTTP 404 Not Found" message. I know what you say is true for my localhost, hence my including passwords. But seems, at least thru DiscountASP, that there is other security which stops the download. Is there some other way to overcome security?

Thanks, Graeme
</blockquote id="quote"></font id="quote">

 

Nope.. We still have IIS5 servers (those who registered before May are on IIS 5)


quote:Originally posted by JonO

Aren't you totally IIS 6 now?

quote:Originally posted by bruce

It depends on which server your site is located.

With IIS 5.0, we configure URLScan to block off .mdb download. Such feature is not available with IIS 6.0

If it shows 404, then mdb download is blocked off by URLScan.

quote:Originally posted by tunnel

Well, that's exactly what I CAN'T do! -well, haven't yet managed, as I get the old "HTTP 404 Not Found" message. I know what you say is true for my localhost, hence my including passwords. But seems, at least thru DiscountASP, that there is other security which stops the download. Is there some other way to overcome security?

Thanks, Graeme
</blockquote id="quote"></font id="quote">
</blockquote id="quote"></font id="quote">

Jon
(Information doesn't want to be free, it wants to be sixty-nine cents @ pound)
</blockquote id="quote"></font id="quote">

 

We are thinking about creating a special folder (say database) and set the permission to have no IIS read permission (basically same as the cgi-bin dir). Having user put the DB in the cgi-bin dir can sometime get confusion?

Any thoughts?


quote:Originally posted by bajdev

tunnel,

Just to play it safe you can put your access databases in your cgi-bin folder. Perhaps make a data folder in your cgi-bin to hold them. There isn't anonymous access to the contents of the cgi-bin folder, so people can't get to it from the web, but your .net scripts can get to them.

cheers,
baj
</blockquote id="quote"></font id="quote">

 

Depending how your applciation is created, blocking off anonymous access can cause your app to not function.

For example, if you have an asp page that need to access the database file, the web server process runs under the anonymous user permission and if anon usr permission is denied, the app will fail.

If we create a db folder, we do not mess w/ the NTFS permission but we change the IIS property on the folder to not allow read. That mean, if a user call http://yourdomain.com/database/test.mdb, they will get an error saying "HTTP Error 403.2 - Forbidden: Read access is denied."

This is a real complex issue but I hoped i explained it well.

THanks for your feedback.

quote:Originally posted by bajdev

Yes I agree having a data folder would be great. For now I have mine in the cgi-bin. prankernet0 good tip I didn't even think about using the user permissions manger to block access to a data folder.

Thanks,
baj
</blockquote id="quote"></font id="quote">

 

No. Even when we implement this, it'll only apply to new accounts.

Drop us an email to support, we can set the IIS permission for your dir.

quote:Originally posted by djrerun

Bruce, is this setting already in place globally? If so will you need to create and set the IIS permissions on the directory, or will simply creating the directory set the propper perms on it? I did create a "database" dir and was still able to download an MDB from it.

Thx

quote:Originally posted by bruce

Depending how your applciation is created, blocking off anonymous access can cause your app to not function.

For example, if you have an asp page that need to access the database file, the web server process runs under the anonymous user permission and if anon usr permission is denied, the app will fail.

If we create a db folder, we do not mess w/ the NTFS permission but we change the IIS property on the folder to not allow read. That mean, if a user call http://yourdomain.com/database/test.mdb, they will get an error saying "HTTP Error 403.2 - Forbidden: Read access is denied."

This is a real complex issue but I hoped i explained it well.

THanks for your feedback.

</blockquote id="quote"></font id="quote">
</blockquote id="quote"></font id="quote">