Introduction: Yesterday and animator test a bit, the Data.mdb file renamed data.asp file in the Wwwroot directory. Then in IE input data.asp path, found that IE shows a blank, right key-> view source file, out of Notepad, the content saved as an. mdb file, opened with access, found that a password was required, that is, at least the file header was corrupted.
Then use the FlashGet test to download the data.asp file and save it as a Data.mdb file, and discover that access is turned on intact!!! It seems that a good number of programmers in the development of the time to think that the MDB suffix to the ASP can be downloaded to prevent the concept of the wrong! Background database download for a asp+access site is undoubtedly a tragic disaster. Today to find the articles, summed up there are the following 9 ways to prevent the database is downloaded (Welcome to add):
1. Play your imagination modify the database file name
Needless to say, this is the most lazy way, but if the attacker through a third-party access to the path of the database, the game is over. For example, the attacker would have only access to the list right, the result of unexpectedly see the database path, can be sounding the database to download back to study. In addition, the data files are usually large in size, and the hidden file names can not deceive people. So confidentiality is the lowest.
2. Database name suffix to ASA, ASP, etc.
This method should be in conjunction with some settings, or else it will appear at the beginning of this article
(1) Binary field add (this recruit I have not yet refined into-_-+).
(2) In this file to add <% or%>,iis will be parsed by ASP syntax, and then will report 500 errors, nature can not download. But if it's simply a matter of adding <% to the text or Memo field in the database, it won't work, because access will handle the contents of it, and in the database he will be in the form of <, invalid! The correct approach is to save the <% into the OLE Object field so that our purpose is achieved.
To make a method:
First of all, use Notepad to create a new content for <% text file, a name to archive.
Next, open your database file with access, create a new table, name it, add an OLE object's field to the table, add a record, insert the previously created text file, and, if it is correct, you should be able to see a newer record named "Packet". Can
3. Database name before adding "#"
Just add the first name of the database file to the #, and then modify the database address in the database connection file (such as conn.asp). The principle is to download the time can only identify #号前名的部分, for the back of the automatic removal, such as you want to download: http://www.pcdigest.com/date/#123. mdb (if present). Whether it is IE or flashget and so on are http://www.test.com/date/index.htm (index.asp, default.jsp, etc. you set up in the IIS homepage document)
In addition, in the database file name to retain a number of spaces also play a similar role, because the HTTP protocol to address the specificity of resolution, the space will be encoded as "%", such as http://www.test.com/date/123 456.mdb, download the time http:// Www.test.com/date/123%456.mdb. And our directory is not 123%456.mdb this file, so the download is invalid such modifications, even if you expose the database address, under normal circumstances, others are also unable to download!
4. Encrypt the database
First in the selection tool-> security-> encryption/decryption database, select the database (such as: Employer.mdb), and then determine, then the "Database encryption Save as" window, Save as: Employer1.mdb. Then the employer.mdb will be encoded and stored as employer1.mdb. Note that the above action does not set a password on the database, but only encodes the database file to prevent others from using other tools to view the contents of the database file.
Next we encrypt the database, first by opening the encoded Employer1.mdb, and when we open it, select "Exclusive" mode. Then select the "Tools-> security-> Set Database Password" in the menu, and then enter your password. So even if someone gets the Employer1.mdb file, he can't see Employer1.mdb without a password.
To modify the database Connection page after encryption, such as:
Conn.Open "Driver={microsoft Access Driver (*.mdb)};uid=admin;pwd= database password; dbq= database path"
After this modification, the database can not be opened even if it is downloaded (provided that the password on your database connection page is not compromised).
However, it is noteworthy that, because the Access database encryption mechanism is relatively simple, even if the password is set, decryption is easy. The database system forms an encrypted string by "XOR" the password entered by the user with a fixed key and stores it in the area where the *.mdb file starts at the address "&h42". So a good programmer can easily make a dozens of-line applet to get the password of any Access database easily. Therefore, as long as the database is downloaded, its information security is still unknown.
5. The database is placed outside the Web directory or the database connection file is placed under another virtual directory
If your web directory is e:\webroot, you can put the database into the E:\data folder, in the E:\webroot database Connection page to modify the database connection address is: ". /data/database name ", so that the database can be called normally, but cannot be downloaded because it is not in the Web directory! This method is generally not suitable for users who buy virtual space.
6. Use an ODBC data source.
In the ASP and other program design, if there is a condition, should try to use ODBC data source, do not write the database name in the program, otherwise, the database name with the ASP source code with the Official secrets of the Official secrets, such as: DBPath = Server.MapPath (". /123/abc/asfadf.mdb ")
Conn.Open "Driver={microsoft Access driver (*.mdb)};d bq=" & DBPath
Visible, even if the database name is strange, hidden directory again deep, the ASP source code compromised, also very easy to download down. If you use an ODBC data source, there will not be such a problem: Conn.Open "odbc-dsn name", but this is more annoying, the directory to move and then reset the data source, more convenient way to see the 7th, 8 law!
7. Add a database name, such as an MDB extension map
This method is implemented by modifying the IIS settings, and is suitable for friends with IIS control and is not suitable for buying virtual host users (unless the administrator has already set them up). I think this method is the best at present. As long as you modify one place, the entire site's database can be prevented from being downloaded. There is no need to modify the code, even exposing the destination address can prevent downloads.
We add the application resolution of the. mdb file in the IIS properties---home directory---configuration---mapping---application extensions. Note that the selection of the DLL (or EXE, etc.) does not seem to be arbitrary, the choice of improper, this MDB file can still be downloaded, note that it is best not to choose Asp.dll. You can test it yourself.
After this modification, download the database such as: Http://www.test.com/data/dvbbs6.mdb. Appears (404 or 500 Errors)
8: Use. NET's advantages
The wooden bird on the net has written a "Wbal anti-theft chain tool" to prevent illegal downloading of files. Concrete can be landed http://www.9seek.com/WBAL/;
But that only implemented to prevent non-local downloads, did not play a real download database functionality. But this method has been similar to the 5 law can be modified. NET files, to achieve local also can not download!
These methods, only the 7th and 8 are unified change, once modified configuration, the entire site of the database can be prevented from downloading, the other several to modify the database name and connection files, more trouble, but for the virtual host of friends can only be so!
In fact, the 6th method should be the 5th extension of the method, you can achieve special functions, But not for support. NET host or afraid of setting trouble, or directly using the 5th method, and by default, the 6th method, still can be connected to the same host by copying the forum or message published, and then you can click to download (because such a reference page is from the same host)
9. Use NTFS partition file permission settings (by Percyboy)
We already know that Access databases are accessed using Ado.net in asp.net, and Access databases are accessed via OLE DB connections-one of our most common low-end databases. This article discusses some of the error prompts you may see in ASP.net, where you see the database files created by Access 2000 and Access XP, and a less common error message occurs when an error occurs. Hope to help you. Another important point is that, hopefully, this article will give you a new understanding of NTFS permissions settings for Access database files in asp.net.
(i) the experimental process
For the sake of convenience, give a concrete example to do an experiment: The application is/test, the database is stored in D:\wwwroot\test\data\db1.mdb, we already know that in asp.net, we are accessing the database in the identity of a virtual user called the ASPNET. We need to give this account a specific NTFS permission to make the ASP.net program work.
To get the most restrictive NTFS permission settings, we gave the program the lowest NTFS permissions at the beginning of the experiment:
A D:\wwwroot\test\data\ the folder to the user ASPNET with the following permissions:
Allow Deny
Full Control-
Modified-
Read and run √-
Lists folder directories √-
Read √-
Write-
b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:
√ Allows inheritable permissions from the parent to propagate to the object
1.1 For an ASPX program that contains only the "SELECT" command, the above permission setting has no barrier to running: The above permission has already satisfied the operation of such a program.
1.2 For ASPX programs that contain commands such as "Update" INSERT "Update",
(a) If Db1.mdb is a database created by Access 2000, the following error occurs:
A server error in the "/test" application.
---------------------------------------
The Microsoft Jet database engine does not open the file ' D:\wwwroot\test\data\ '. It has been opened exclusively by another user or does not have permission to view the data.
Note: An unhandled exception occurred during the execution of the current WEB request. Check the stack trace for more information about the error and where the error occurred in the code.
Exception Details: The System.Data.OleDb.OleDbException:Microsoft Jet Database engine does not open the file ' D:\wwwroot\test\data\ '. It has been opened exclusively by another user or does not have permission to view the data.
(b) If Db1.mdb is a database created by Access XP, the following error occurs:
A server error in the "/test" application.
----------------------------------------------
The operation must use an updatable query.
Note: An unhandled exception occurred during the execution of the current WEB request. Check the stack trace for more information about the error and where the error occurred in the code.
Exception Details: System.Data.OleDb.OleDbException: The operation must use an updatable query.
(c) Preliminary analysis: Because there are commands such as "Update" INSERT "Update" that require writing to the database file itself, the above permissions do not meet this requirement, and we need to further release the permissions.
We let go of some authority,
A) The D:\wwwroot\test\data\ folder is unchanged:
b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:
Allow Deny
Full Control-
Modified-
Read and run √-
Lists folder directories √-
Read √-
Write to √-
1.3 After releasing the permission to continue the experiment,
(a) If Db1.mdb is a database created by Access 2000, the following error occurs:
A server error in the "/test" application.
------------------------------------------
Cannot lock file.
Note: An unhandled exception occurred during the execution of the current WEB request. Check the stack trace for more information about the error and where the error occurred in the code.
Exception Details: System.Data.OleDb.OleDbException: Cannot lock file.
(b) If Db1.mdb is a database created by Access XP, no error occurs.
(c) Preliminary analysis: We find that when an Access database is opened, a *.ldb file with the same name is generated in the same directory as the lock tag for access. In view of this, we suspect that when the user ASPNET accesses an Access database, it is also necessary to generate a lock tag, which does not allow it to be written, and therefore has an error. The reason why the database created by Access XP does not have this error is unknown.
We further liberalized our authority,
A D:\wwwroot\test\data\ folder to the user ASPNET with the following permissions:
Allow Deny
Full Control-
Modified-
Read and run √-
Lists folder directories √-
Read √-
Write to √-
b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:
√ Allows inheritable permissions from the parent to propagate to the object
1.4 Continue the experiment, found that the error has been resolved, then the above permission is we need to release the "least privilege".
(a) If Db1.mdb is a database created by Access 2000, we will find a small problem: the generated *.ldb file will not be deleted by itself, but the file still exists after the visit, but this problem does not affect the normal operation of ASP.net.
(b) If Db1.mdb is a database created by Access XP, there is no such problem.
(c) Preliminary analysis: We just gave the ASPNET the right to write to the folder, without the permissions to modify it, so once the file is written, it cannot modify its contents, and the *.LDB is deleted.
If you do not want to solve this problem, further release permissions are:
A D:\wwwroot\test\data\ folder to the user ASPNET with the following permissions:
Allow Deny
Full Control-
Modify √-
Read and run √-
Lists folder directories √-
Read √-
Write to √-
b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:
√ Allows inheritable permissions from the parent to propagate to the object
1.5 with it, experiment with another scenario: We turn Db1.mdb in Access, and access asp.net.
(a) If Db1.mdb is a database created by Access 2000, we find that there are no problems.
(b) If Db1.mdb is a database created by Access XP, the following error occurs:
A server error in the "/zhao" application.
------------------------------------------------
Cannot use '; file is already in use.
Note: An unhandled exception occurred during the execution of the current WEB request. Check the stack trace for more information about the error and where the error occurred in the code.
Exception Details: System.Data.OleDb.OleDbException: Cannot use '; file is already in use.
(c) Preliminary analysis: The Access database is a single user single-threaded database, and when we open the Edit database file in Access, we open the database in the identity of the current Windows user (such as Administrator), and ASP.net defaults to using the The ASPNET virtual user (attached to the Users group) has a conflict error because the level is below the administrator and the administrator cannot "snatch" permissions. As far as Access 2000 ignores this problem, we don't have to discuss it, and maybe Access 2000 doesn't take that many factors into consideration.
1.6 There is another scenario: Change the Db1.mdb property to read-only, and either Access 2000 or access XP will have the same error message as each of the 1.2 errors.
(ii) Conclusion of the experiment
(1) Let's first summarize the origin of NTFS permission settings for Access database files:
The default in ASP.net is to access and manipulate the database in the identity of a virtual user named ASPNET, which you can see in Control Panel-Administrative Tools-Computer Management-Local Users and groups-users, by default:
Full name: asp.net computer account
Described as: The account used to run the ASP.net worker process (aspnet_wp.exe).
Subordinate to: Users group.
The risk of using a user who is subordinate to the Users group for file operations and database operations is much less risky than using a Administrators group of users, and this is a security concern for asp.net.
Since this is a user who needs to access and manipulate the database file itself, we need to give it a certain NTFS permission to allow it access. Obviously, without NTFS permission, the ASPNET cannot access and manipulate the database, and the errors that are seen in the previous experiment appear.
(2) After the above experiments, we already know that the following NTFS permission settings are available to meet the general requirements:
A D:\wwwroot\test\data\ folder to the user ASPNET with the following permissions:
Allow Deny
Full Control-
Modified-
Read and run √-
Lists folder directories √-
Read √-
Write to √-
b D:\wwwroot\test\data\db1.mdb The file itself to the user ASPNET with the following permissions:
√ Allows inheritable permissions from the parent to propagate to the object
At the same time, we also notice that Db1.mdb is a "read-only" file that also has a certain impact on the access to the ASPNET.
(3) The above permission settings can be set directly to the ASPNET user, or set to the Users group, or directly to the Everyone group. Because the ASPNET is part of the Users group, you can set permissions for the ASPNET through the user group.
(4) NTFS permissions are set in the Properties dialog box-the Security tab-when a file or folder is right-clicked. In general, you can consider giving the Adminitrators group Full Control permission, and do not easily tick in ' deny ', tips on NTFS permission settings, Can consult network administrator, network security expert's suggestion.
Note: NTFS permissions are not supported in FAT, FAT32-formatted partitions.
(5) The Windows 2000 series, the Security tab of the Windows Server 2003 series, is easily found by default, but the Security tab in Windows XP Professional is turned off by default and you can control Panel-Folder Options- On the View tab, in the Advanced settings, use simple sharing (recommended) "√" removal, OK, and then follow the above method to see the Security tab again.
===========
To sum up, 2, 3, 4 method together, is to prevent the database is downloaded the most basic, the most effective method, not only for the server has jurisdiction of network management, but also applicable to the user of the virtual host, recommend each of the producers must use these three methods
If you have jurisdiction over the server, plus method 9, the security of your Access database can be greatly improved.
Suppose the site is Bauku (the attacker gets the URL of the database through various means). For the defense of weaker web systems, this means that the database will be downloaded by the attacker, and all background data on the site are compromised.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.