With the development of the Internet, Web technologies are changing with each passing day. People are no longer satisfied with static HTML technology, and more are dynamic and interactive network technologies. Following the Common Gateway Interface (CGI), Microsoft's IIS+ASP solution is widely used in online banking, e-commerce, online surveys, online inquiries, BBS, search engines, etc. as a typical server-side web design technology. Various internet applications. At the same time, Access database, as a desktop database system launched by Microsoft with standard JET as the engine, has a large user group because of its simple function and friendly interface. Currently, IIS+ASP+Access is the preferred solution for small and medium-sized Internet sites. However, this solution brings us convenience as well as serious security issues.
I. Security Hazard Analysis
The main security risks of the IIS+ASP+Access solution come from the security of the Access database, followed by the security awareness and measures in the ASP web design process.
1. The database may be downloaded
In the IIS+ASP+Access website, if someone obtains or guesses the storage path and file name of the database through various methods, the database can be downloaded locally. For example, for the online bookstore database, generally named book.mdb, store.mdb, etc., the storage path is generally "URL/database" or placed under the root directory "URL/", so that anyone types the address: "URL/Database/store.mdb", the database can be downloaded.
2. The database may be decrypted
Since the encryption mechanism of the Access database is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by storing the password entered by the user with a fixed key (for example: Access 97 is 86 FB EC 37 5D 44 9C FA C6 5E 28 E6 13) and stores it. In the area where the *.mdb file starts from the address "&H42". We can easily program the decryption program, and a dozen programs of small programs can easily obtain the password of any Access database. Therefore, as long as the database is downloaded, there is no security for its information.
3. ASP page security
(1) source code security risks. Because the ASP program uses a non-compiled language, the security of the program source code is greatly reduced. If the hacker invades the site, the ASP source code can be obtained; at the same time, for the user who rents the server, the source code of the ASP application is leaked due to the professional ethics of the individual server renter.
(2) Security issues that are easily overlooked in programming. The ASP code uses forms to interact, and the corresponding content is reflected in the browser's address bar. If you do not take appropriate security measures, you can bypass the verification and go directly to a page. For example, typing "...page.asp?x=1" in the browser can directly enter the page that satisfies the "x=1" condition without going through the form page. Therefore, special measures must be taken to avoid such problems in the verification or registration page.
Second, to improve the security of the IIS + ASP website method
1. Preventing the database from being downloaded
Because the encryption mechanism of the Access database is too simple and effectively prevents the database from being downloaded, it has become the top priority for improving the security of the ASP+Access solution. The following two methods are simple and effective.
(1) Unconventional nomenclature. Make a complex unconventional name for the Access database file and put it in several directories. For example, for an online bookstore database, we don't name it "book.mdb" or "Store.mdb", but instead start with an unconventional name, for example: faq9jl.mdb, and put it in ./akkt In the several-level directory of /kj61/acd/av5, it is very difficult for a hacker to get the name of the Access database file by guessing.
(2) use ODBC data source. In ASP programming, if there are conditions, you should try to use ODBC data source, do not write the database name in the program, otherwise, the database name will be lost with the ASP source code, such as:
DBPath = Server.MapPath ("./akkt/kj61/acd/av5/faq9jl.mdb")
conn.open "driver={Microsoft Access Driver (*.mdb)};dbq="& DBPath
is visible even if the database name It’s strange again, and the hidden directory is deep. After the ASP source code is compromised, it is easy to download. If you use an ODBC data source, there is no such problem:
conn.open "ODBC-DSN name"
2. Encrypting ASP pages
To effectively prevent ASP source code from leaking, ASP pages can be encrypted. We have used two methods to encrypt ASP pages. One is to use component technology to encapsulate the programming logic into the DLL; the other is to use the Microsoft Script Encoder to encrypt the ASP page. The main problem with the use of component technology is that each piece of code needs to be componentized, * is more cumbersome, and the workload is large, and Encoder is used to encrypt the ASP page, * is simple and works well. Script Encoder runs SCRENC.EXE and uses:
SCRENC [/s] [/f] [/xl] [/l defLanguage ] [/e defExtension] inputfile outputfile
where: /s is Mask screen output; /f specifies whether the output file overwrites the input file of the same name; /xl refers to whether to add the @Language directive at the top of the .asp file; /l defLanguag specifies the default scripting language; /e defExtension specifies the extension of the file to be encrypted .
3. Registration Verification
In order to prevent unregistered users from entering the application system by bypassing the registration interface, we use the Session object for registration verification. For example, we created the following registration page.
The design requires the system to start the hrmis.asp?page=1 page after successful registration. Assume that instead of using the Session object for registration verification, the user can type "URL/hrmis.asp?page=1" in the browser to bypass the registration interface and enter the system directly.
Here, use Session object registration verification:
after entering the application, first verify: study
by IIS + ASP + Access online application system security, we The existing system has been modified and received good results.
analyzes the technical characteristics of the dual-core processors produced by the six server proces
With the built-in Hyper-V of Windows Server 2008, IT staff can start building virtual machines on th
for IIS servers The Internet is full of dangers, and many important applications are built on the I
-E Each packet intercepted shows the link layer header: source MAC address > d
The difference between hot standby and RADE
Php configuration anti-cross-site, anti-directory security
VPN Server Setup Guide under Windows 2003
DNS Client related configuration
Ten ways to protect DNS servers
Telnet to port 25 to test SMTP communication
Windows 2003 Server Cluster Configuration Checklist
I took out the Windows 2003 IIS6 installer
How to install eAccelerator for PHP 5.2.8 in IIS
Graphical tutorial for configuring Php+Mysql+zend under IIS
Nginx start, stop, restart, upgrade operation command collection
When Win8.1 enters the traditional desktop, the desktop tile is missing. How to retrieve it
Using win7 restore and backup to make the system easy to return to the soul (1)
Win8.1 must set 15 places Win8.1 optimization settings tutorial
XP comes with firewall settings detailed
How does Win10 convert files to PDF for easy reading
EasyBcd software fixes dual-boot issues with Vista and XP
Setting up encrypted partitions for flash memory on Win 7
VMware vCenter Converter Standalone converts Linux troubleshooting
Several settings that need to be made to install Win 7 system successfully