Incomplete manual for ASP Security Configuration

Safety

--From ASP program to server configuration

The ASP full name Active Server Pages is a Microsoft-launched Dynamic Server Web technology to replace CGI (Common Gateway Interface). Because the ASP is easy to learn, and Microsoft this strong background support, so the application is more extensive, relatively the defects found in the program and the loopholes are also more. The server-side platforms that ASP can run include: WinNT, Win2K, WinXP, and Win2003, which can also be run in Win98 environments. Now let's talk about the security configuration of the ASP for both the Win2K and Win2003 systems.

ASP Program Security article:
Before making the security configuration, let's take a look at the intruder's attack tactics. It is now very popular injection attacks, the so-called injection attacks, is the use of the submission of special addresses to the ASP referenced in the normal SQL statements and the SQL statements required by the intruder to execute, so that the intruder to achieve the purpose of the invasion. Now there are some script injection tools released, so that rookie can also easily complete the injection of ASP attacks. So let's take a look at how these tools are injected.
First, the intruder will determine whether a Web site can be injected, assuming the address of an article is: Http://www.scccn.com/news.asp?id=1 will typically submit two addresses to test, such as:
Http://www.scccn.com/news.asp?id=1 and 1=1
Http://www.scccn.com/news.asp?id=1 and 1=2
After the first address is appended with and 1=1, the SQL statement that constitutes it becomes: the Select * from table single-name where id=1 and 1=1 must be set up before and after the statement. So the previous article address is accessible, the back of the 1=1 is also objectively established, then the first address can be displayed normally; instead, 1=2 is clearly not tenable, the key is to see this step, if the submission and 1=2 page or normal display shows that he did not write and 1=2 to the SQL statement, The station also does not have an injection vulnerability, but if the error page is returned after submitting an and 1=2, then the site takes the following statement into the SQL statement and executes it, which means that he can do SQL injection. (Note: If the address is followed by news.asp?id= ' 1 ' it will have to become news.asp?id=1 ' and ' 1 ' = ' to fill the full quote)
So what can an intruder do when it's ready to be injected?
Here is a simple point, such as the submission of such an address:
Http://www.scccn.com/news.asp?id=1 and exists (SELECT * from table name where column name = data)
According to the correct or wrong page returned to determine whether the guessed table name and column name is correct, when the realization is to guess the table name and then guess the column name. After guessing the table name and column name, you can also use the ASC and mid functions to guess the data for each column. The mid function is formatted as: Mid (variable name, number of characters beginning to read, reading several characters), for example: Mid (pwd,1,2) can read two-bit characters from the first digit in the variable pwd. The ASC function is in the form of ASC ("string"), such as: ASC ("a") to read the ASCII code of the letter A. Then the actual application can be written as: ASC (Mid (pwd,1,1)) read the PWD column of the first character of the ASCII code, submitted: ASC (Mid (pwd,1,1)) > 97 whether the returned page is the correct page to determine whether the ASCII code for the first character of the PWD column is greater than the ASCII code of the (a), and if so, try again if it is less than 122 (Z's ASCII) ... This slowly narrows the ASCII range of the characters, and guessing the real ASCII code is only a matter of time. A single guess will get the username and password in the database. There is also an ASP authentication flaw--that is, the username and password are both lost ' or ' 1 ' = ' 1, construct SQL statement select * Form table single-name where username= ' or ' 1 ' = ' 1 ' and pwd= ' or ' 1 ' = ' 1 ' to achieve the goal of bypassing password verification Of
Say so much, in fact the method of prevention is very simple, we can prevent the injection of special characters (such as and, or, ', ') to prohibit the submission. The ASP transfer data is divided into get and post two kinds, get is by adding the data to the URL after the way, post is to use the mailing information data fields to transfer data to the server.
So, let's take a look at how to submit a Get method to a special character filter in the data. The first thing to know is that IIS passes a GET request to asp.dll in the form of a string, and after passing the data to Request.QueryString, the ASP parser parses the Request.QueryString information and follows the "&" To separate the data in each array. Now we want to make the get way unable to submit the following characters:
', and, exec, insert, select, Delete, update, COUNT, *,%, CHR, Mid, Master, truncate, Char, declare
Then, the code to prevent a get-mode injection is as follows:
<%
Dim sql_leach,sql_leach_0,sql_data
Sql_leach = "', And,exec,insert,select,delete,update,count,*,%,chr,mid,master,truncate,char,declare"
Sql_leach_0 = Split (Sql_leach, ",")

If request.querystring<> "" Then
For each sql_get in Request.QueryString
For Sql_data=0 to Ubound (SQL_LEACH_0)
If InStr (Request.QueryString (Sql_get), Sql_leach_0 (sql_data)) >0 Then
Response.Write "Please do not attempt SQL injection!" "
Response.End
End If
Next
Next
End If
%>
Where the string in the variable Sql_leach is the specified filtered character, separated by ",".
Then filter the post submission method of injection, we can see that the Request.Form is also in the form of an array, as long as it is a circular judgment on it. The ASP code to prevent post injection is as follows:
<%
If request.form<> "" Then
For each sql_post in Request.Form
For Sql_data=0 to Ubound (SQL_LEACH_0)
If InStr (Request.Form (Sql_post), Sql_leach_0 (sql_data)) >0 Then
Response.Write "Please do not attempt SQL injection!" "
Response.End
End If
Next
Next
End If
%>
In this way, both get and post injection are disabled.
The other is the database problem, first of all, it is very popular to use the *.asp naming database has no meaning, because the download software can be downloaded, before the database name plus # is not very useful, although access to the browser only to access the contents of the # before, but if you will # with its Unicode expression (% 23) can be accessed by replacement. In that case, we forbid intruders to Bauku. The method of general Storm database, is to replace "/" with "%5c" (The Unicode expression of "\") before reading the file name of the database (such as conn.asp) so that the ASP can interpret%5c as accessing the site root directory, but the database is not found at the specified location. Setting IE to "show friendly HTTP error messages" will naturally burst the path of the database.
The method of prevention is also relatively simple, that is, let the ASP program even in the case of errors do not complain directly to execute the next step on it. Add the phrase in the ASP file: On Error Resume Next is OK.
There are a few things to note:
1. Database name is long and as far as possible in the site root directory, the database table name and field name as far as possible irregular 2. The database that holds sensitive information (such as user and password) is as far as possible separate from the database referenced in the foreground page (if the database is burst out of the foreground page with a new Bauku method, so the intruder also can not get valuable information); 3. Background directory name and landing page name to change the unusual some, must not appear admin or login and so on Characters so as not to be injected into the software to scan into the background. 4. If the front desk or background has the ability to upload files, remember that there can be no other function directly or indirectly have the right to change the file name. This kind of multiple protection is more secure.

ASP Server Security Configuration chapter (for Win2K and Win2003):
We start with the bare metal--
First, unplug the network cable, format all disks to NTFS after partitioning on demand, and install the system in the D disk. After the system is installed, do a ghost backup of the bare system immediately, in case of unexpected in the process of configuring later.
It is necessary to install the drivers first. After the first install firewall, choose a good firewall is very important. Can buy the best hardware firewall, recommended options: Cisco PIX series, NGFW series, ice Eye (intrusion detection system). Without the hardware firewall, the use of software firewalls, recommended: Blackice (my personal favorite), Checkpoint (Israel National Firewall), ZoneAlarm (not too familiar, but good reputation), although more like Skynet firewall, but do not recommend the server with Skynet.
Install the firewall installed antivirus software, recommended: KV jiangmin anti-virus software (Good Things), Norton (although good, but more overbearing), Kaspersky (I heard more memory consumption, but the effect of the virus is very good).
Start installing all the software you need, and if it's a 2003 system, don't forget to install IIS. All of the above software is installed on a disk that is not a system disk.
The following start to patch the system, first with the CD on hand to 2k SP4 or 2003 dozen SP1. In the case of local operation will be able to play the system and software patches are played. After that, in the confirmation firewall and antivirus software are set up, plug in the network cable, start window update, and upgrade anti-virus software to the latest virus library. After finishing all the system and software patches, unplug the network cable, all the temporary files and system patches left uninstall files all deleted, if you feel too much space can also be%systemroot%\system32\dllcache\ under the All Files deleted (System backup files), This will make the final ghost backup file smaller in size. Then use the ghost backup system again.
After removing the unsafe components, you need to remove the Wscript.Shell, Wscript.Network, and Shell.Application. Under the cmd respectively input (in 2k, for example, 2003 channel is D:\windows):
Regsvr32/u D:\WINNT\System32\wshom.ocx
Del D:\WINNT\System32\wshom.ocx
Reboot, OK. In addition, intruders can take advantage of GetObject ("WINNT") to obtain a list of users and processes, and can disable workstation services as a precautionary measure.
It is necessary to set permissions. First, determine how many sites you want to establish in IIS, and then create a user for each site. In the directory security of the IIS site, select the account that this user is anonymous to access. All partitions are disabled for this user access, while the corresponding folder settings in the site allow this user access. In this way, even if the site is invaded, the intruder will not get the server shell.
After everything is done, use Ghost to back up again, and put the good backup files on a machine that is not on the same LAN as the server or in a relatively safe place. Plug in the network cable, the server will be safe to work properly. You can then restore the system once every time the server is reset, which is something.

Well, basically so much, the above said may not be very complete, only for reference purposes, deficiencies also please master a lot of supplements.