How to Improve IIS + ASP Website Security

1. Prevent database downloads

Because the ACCESS database encryption mechanism is too simple and effectively prevents the database from being downloaded, it becomes the top priority to improve the security of ASP + access solutions. The following two methods are simple and effective.

(1) unconventional naming methods. Create a complex unconventional name for the ACCESS database file and put it under several directories. For example, for an online bookstore database, we do not name it "book. MDB or store. mdb, but an unconventional name, such as faq9jl. mdb, and then put it in. in the/akkt/kj61/ACD/av5 directory, it is difficult for hackers to obtain the ACCESS database file name by guessing.

(2) Use the ODBC data source. In ASP programming, if conditions are met, try to use the ODBC Data Source. Do not write the database name in the program. Otherwise, the database name will be lost along with the password of ASP source code. For example:

Dbpath = server. mappath ("./akkt/kj61/ACD/av5/faq9jl. mdb ")
Conn. Open "driver = {Microsoft Access Driver (*. mdb)}; DBQ =" & dbpath

It can be seen that even if the database name gets weird, the hidden directory goes deeper, and the ASP source code is easily downloaded after the password is lost. If you use an ODBC data source, the following issues will not occur:

Conn. Open ODBC-DSN name"

2. Encrypt ASP pages

To effectively prevent ASP source code leakage, You can encrypt ASP pages. We used two methods to encrypt ASP pages. One is to use component technology to encapsulate programming logic into DLL; the other is to use Microsoft Script encoder to encrypt ASP pages. The main problem with component technology is that each piece of code requires componentization, which is complicated and requires a lot of work. However, encoder is used to encrypt ASP pages, which is simple and effective. The running program of script encoder is screnc. EXE. The usage is as follows:

Screnc [/S] [/F] [/XL] [/L deflanguage] [/e defextension] inputfile outputfile

Where:/s indicates screen output shielding;/F indicates whether the output file overwrites the input file with the same name;/XL indicates whether the output file is in. add the @ language command at the top of the ASP file;/L deflanguag specifies the default script language;/e defextension specifies the extension of the file to be encrypted.

3. Registration Verification

To prevent unregistered users from directly accessing the application system through the registration interface, we use the session object for registration verification. For example, we have created the following registration page.

Design requirements: After successful registration, the system starts HRMIS. asp? Page = 1 page. Suppose that the session object is not used for registration verification, the user typed "url/HRMIS. asp?" in the browser? Page = 1 "to bypass the registration interface and directly access the system.

Here, the session object is used for registration verification:

<%
'Read the account and password entered by the user
Userid = request ("userid ")
Password = request ("password ")
'Check whether userid and password are correct
If userid <> "HRMIS" or password <> "password" then
Response. Write "Account Error !"
Response. End
End if
'Set the session object to the verified status
Session ("passed") = true
%> 〉

After entering the application, first verify:

<%
'If the verification fails, the login status is returned.
If not SESSION ("passed") then
Response. Redirect "login. asp"
End if
%> 〉