Maintain ASP application security

Web servers provide various methods to protect your ASP applications from unauthorized access and tampering. After reading the Security Information under this topic, take some time to carefully check your Windows NT and Web server security documents.
NTFS permission
You can protect ASP application files by applying NTFS access permissions to individual files and directories. NTFS permission is the basis for Web server security. It defines different levels of access to files and directories by one or more users. When a user with a valid Windows NT account tries to access a file with limited permissions, the computer checks the access control table (ACL) of the file ). This table defines the permissions granted to different users and user groups. If a user's account has the permission to open a file, the computer allows the user to access the file. For example, the owner of a Web application on a Web server must have the "change" permission to view, modify, and delete the. asp file of the application. However, public users accessing the application should only be granted the "read-only" permission so that they can only view and cannot change the Web pages of the application.

Maintain the security of Global. asa
To fully protect ASP applications, you must set NTFS file permissions for appropriate users or user groups on the Global. asa file of the application. If Global. asa contains a command to return information to the browser without protecting the Global. asa file, the information is returned to the browser, even if other files of the application are protected.
Note:Be sure to have unified NTFS permissions for the application's file applications. For example, if you accidentally limit the NTFS permission on the files required by an application, you may not be able to view or run the application. To prevent such problems, you should carefully plan before assigning NTFS permissions to your applications.
Web Server Permissions
You can configure the permissions of your Web server to restrict all users from viewing, running, and operating your ASP pages. Unlike NTFS permission, which allows a specific user to access application files and directories, the Web server Permission applies to all users and does not differentiate the type of user accounts.
Users who want to run your ASP application must follow the following principles when setting Web Server permissions:
"Read" or "script" permission on the virtual directory that contains the. asp file.
The "read" and "script" permissions are allowed for the virtual directories of. asp files and other files containing scripts, such as. htm files.
The "read" and "execute" permissions are allowed for virtual directories that contain. asp files and other files that require the "execute" permission to run, such as. exe and. dll files.

Script ing File
The script ing of the application ensures that the Web server does not accidentally download the source code of the. asp file. For example. the "read" permission is set for the asp file directory. asp files are affiliated with a script ing application, so your Web server will not return the source code of the file to the user.
Cookie Security
ASP uses the SessionID cookie to track the information of a specific Web browser during application access or session. This means that HTTP requests with corresponding cookies are considered to be from the same Web browser. Web servers can use SessionID cookies to configure ASP applications with user-specific session information. For example, if your application is an online music store that allows users to select and buy CD albums, you can use SessionID to track users' choice when roaming the entire application.
Can SessionID be guessed by hackers?
To prevent computer hackers from guessing SessionID cookies and obtaining access to valid user session variables, the Web server assigns a random number for each SessionID. When a user's Web browser returns a SessionID cookie, the server retrieves the SessionID and the assigned number, and then checks whether it is consistent with the generated number stored on the server. If the two numbers are the same, the user is allowed to access session variables. The effectiveness of this technology lies in the length of the given number 64-bit), which makes it almost impossible for computer hackers to guess the SessionID and steal the user's Active session.
Encrypt important SessionID cookies
Computer hackers who have intercepted the user's sessionID cookie can use this cookie to impersonate the user. If the ASP application contains private information, credit card or bank account number, computer hackers with stolen cookies can start an Active session in the application and obtain the information. You can encrypt the communication link between your Web server and your browser to prevent SessionID cookie from being intercepted.
Use the authentication mechanism to protect restricted ASP content
You can require that each user attempting to access restricted ASP content must have a valid user name and password for the Windows NT account. Whenever a user attempts to access restricted content, the Web server will perform authentication, that is, to confirm the user's identity, to check whether the user has a valid Windows NT account.
Web servers support the following authentication methods:

The user is prompted to enter the user name and password for basic authentication.
Windows NT request/Response Authentication obtains the user's identity information encrypted from the user's Web browser.
However, Web servers verify user identities only when anonymous access is prohibited or the Windows NT file system has limited permissions to anonymous access.
Protect metabase
The ASP script for accessing metadatabase requires the administrator privilege of the computer running on the Web server. When running these scripts on a remote computer, connections that have passed authentication are required, such as connections using Windows NT request/response authentication. Create a server or directory for the management-level. asp file and set its Directory Security authentication method to Windows NT request/response-type authentication. Currently, only Microsoft Internet Explorer 2.0 or later supports Windows NT request/responsive authentication.

Use SSL to maintain application security
As a Web server security feature, Secure Sockets Layer (SSL) 3.0 provides a Secure, virtual, and transparent way to establish encrypted communication connections with users. SSL ensures Web Content Authentication and reliably identifies users who access restricted Web sites.
With SSL, You can require users who attempt to access restricted ASP applications to establish an encrypted connection with your server to prevent important information exchanged between users and applications from being intercepted.
Maintain file security
If you include files in the SSL-enabled directory from the. asp file in the unprotected virtual root directory, SSL will not be applied to included files. Therefore, to ensure the application SSL, ensure that the included and included files are in the SSL-enabled directory.
Customer Qualification
A safe way to control access to your ASP application is to require users to log on with customer qualifications. Customer qualification is a digital ID card that contains user identity information. It serves the same purpose as traditional identity certificates such as passports or driving licenses. A user usually obtains the customer qualification from a delegated third-party organization, and the third-party organization confirms the user's identity information before issuing the qualification certificate. Generally, such organizations require names, addresses, phone numbers, and names of their organizations. The details of such information vary with the given level of identity .)
Whenever a user attempts to log on to an application that requires verification, the user's Web browser will automatically send the user qualification to the server. If the Web server's Secure Sockets Layer (SSL) Qualification ing feature is correctly configured, the server can confirm its identity before allowing users to access ASP applications.
ASP script used to process Qualification Certificate
As an ASP application developer, you can write scripts to check whether the qualification exists and read the qualification fields. For example, you can access the User Name field and Company Name field from the qualification certificate. Active Server Pages saves the qualification information in the ClientCertificate set of the Request object.

The Web server must be configured to accept or require customer qualification before the client qualification can be processed through ASP; otherwise, the ClientCertificate set will be empty.