Security for ASP applications

Never underestimate the importance of properly configuring security settings. If you do not configure your security settings correctly, you will not only cause your ASP application to be unnecessarily tampered with, but will also prevent legitimate users from accessing your. asp files.

WEB servers provide a variety of ways to protect your ASP applications from unauthorized access and tampering. After you have read the security information under this topic, please take a moment to double-check your Win dows NT and Web Server security documentation.

NTFS Permissions
You can protect ASP application files by applying NTFS access permissions for separate files and directories. NTFS permissions are the basis for Web server security, which defines the different levels of access to files and directories by one or a group of users. When a user with a Windows NT active account attempts to access a file with permission restrictions, the computer checks the Access Control table (ACL) for the file. This table defines the permissions that are given to different users and groups of users. If the user's account has permission to open the file, the computer allows the user to access the file. For example, the owner of a Web application on a Web server needs to have "change" permission to view, change, and delete an application's. asp file. However, public users who access the application should be granted only read-only permission to restrict it to a Web page that can only be viewed and cannot change the application.

Maintain the safety of global.asa
To fully protect your ASP application, be sure to set NTFS file permissions on the application's Global.asa file for the appropriate users or groups of users. If Global.asa contains a command to return information to the browser and you do not protect the Global.asa file, the information is returned to the browser, even if other files of the application are protected.

Note Be sure to apply uniform NTFS permissions to your application's files. For example, a user might not be able to view or run the application if you inadvertently unduly limit the NTFS permissions of the file that an application needs to contain. To prevent this type of problem, you should plan carefully before assigning NTFS permissions to your application.

Web Server Permissions
You can restrict how your ASP pages are viewed, run, and manipulated by all users by configuring the permissions of your WEB server. Unlike NTFS permissions, which control the way a particular user accesses application files and directories, Web server permissions apply to all users and do not differentiate between types of user accounts.

For users who want to run your ASP application, the following guidelines must be followed when setting Web server permissions:

• Allow read or script permissions on virtual directories that contain. asp files.
• The virtual directory of the. asp files and other files containing scripts (such as. htm files, etc.) are allowed
"Read" and "script" permissions are allowed.
• files that contain. asp files and other "execute" permissions to run (for example,. exe and
. dll files, and so on, allows read and execute permissions.

Script Mapping File

The application's script mapping ensures that the WEB server does not accidentally download the. asp File Source code
。 For example, even if you set the Read permission for a directory that contains an. asp file, the. As
The P file is part of a script-mapped application, and your WEB server will not have the source of the file
The code is returned to the user.

Cookie Security
ASP uses SessionID cookies to track specific Web browsing during application access or session
The information of the device. This means that an HTTP request with a corresponding cookie is considered to be from the same Web
Browser. WEB servers can be configured with SessionID cookies with user-specific session information
ASP applications. For example, if your application is a allows the user to select and purchase CD CDs
Online music Store, you can use SessionID to track users ' choices when roaming through an entire application.

Can SessionID be guessed by hackers?
To prevent computer hackers from guessing SessionID cookies and obtaining session variables for legitimate users
Access, the WEB server assigns a randomly generated number to each SessionID. Whenever the user's We
b When the browser returns a SessionID cookie, the server takes out the SessionID and the number assigned
Word, and then check to see if it is consistent with the build number stored on the server. If two numbers are consistent, it will allow
The user accesses the session variable. The effectiveness of this technique lies in the length of the assigned number (64 bits), which
The probability of a computer hacker guessing SessionID to steal a user's active session is almost 0.

Encrypt important SessionID Cookies
A computer hacker who intercepts a user's SessionID cookie can use this cookie to impersonate the
Households. If the ASP application contains private information, credit card or bank account number, possessing the stolen Co
Okie computer hackers can start an active session in an application and get that information. You can
To prevent SessionID by encrypting the communication link between your WEB server and the user's browser
Cookies were intercepted.

Using authentication mechanisms to protect restricted ASP content
You can require that each user attempting to access the restricted ASP content must have a valid Window
User name and password for S NT account. Whenever a user attempts to access a restricted content, the WEB server will enter
Row authentication, which confirms the user's identity, to check if the user has a valid Windows NT account.

The WEB server supports the following authentication methods:

• Basic authentication prompts the user for a user name and password.
· Windows NT Request/Response authentication is encrypted from the user's Web browser
Gets the user identity information.
However, the WEB server only disables anonymous access or permissions restrictions on the Windows NT file system
The user identity is authenticated when the name is accessed.

Securing meta-databases
ASP scripts that access the metabase require administrator privileges on the computer on which the WEB server is running.
When you run these scripts from a remote computer, you must have an authenticated connection, such as using the Windo
WS NT Request/Response authentication method to connect. You should create a server for an administrative-level. asp file or
Directory and set its directory security authentication mode to Windows NT request/Response authentication. Current
Windows NT is supported only by Microsoft Internet Explorer version 2.0 or later please
Request/respond authentication.

Using SSL to maintain application security
The Secure Sockets Layer (SSL) 3.0 protocol, as a WEB server security feature, provides
A secure, virtual, transparent way to establish an encrypted communication connection with the user. SSL guarantees that the WEB content
Authentication and reliably confirms the identity of the user accessing the restricted Web site.

With SSL, you can ask users who are trying to access a restricted ASP application and your server
Establish an encrypted connection to prevent the interception of important information exchanged between the user and the application.

Maintaining security for Include files
If you include an. asp file that is located in an unprotected virtual root directory that is located in the enabled S
The files in the SL directory, SSL will not be applied to the included file. Therefore, in order to ensure the application of S
SL, make sure that the included and included files are in the SSL-enabled directory.

Customer Qualification Certification
A very secure way to control access to your ASP application is to require the user to use a client-funded
Log in. Customer qualification is a digital ID that contains the identity information of the user, and its role is related to the traditional protection
According to the same identity certificate as the driver's license. The user usually obtains the customer qualification from the entrusted third party organization, the first
The tripartite organization confirms the user's identity information prior to issuing the qualification certificate. (Typically, such organizations require names,
Address, phone number, and organization name; the level of detail of such information varies depending on the level of identity given.
）

Whenever a user attempts to log on to an application that requires authentication, the user's Web browser automatically
Sends a user qualification to the server. If the WEB server's Secure Sockets Layer (SSL) Eligibility
The mapping attribute is configured correctly so that the server can then access the user to the ASP application
Identity for confirmation.

ASP scripts for processing qualification certificates
As an ASP application developer, you can write a script to check if eligibility exists and read the funding
Grid field. For example, you can access the User name field and the company Name section from the qualification certificate. Active Ser
Ver Pages holds eligibility information in the ClientCertificate collection of the Request object.

The WEB server must be configured to accept or require customer qualification before it can be processed via ASP
; otherwise, the ClientCertificate collection will be empty.