Instance description Web Database Security Protection (1)

The database is the lifeblood of the Web. Due to security omissions of managers, it becomes the portal for attackers to intrude into the Web. How can we reinforce Web databases? Taking Access and MSSQL databases that are widely used as examples, I will talk about Web database security protection.

1. Access Database anti-Download

The download of databases is almost devastating to the Web, because attackers can obtain sensitive information, including administrator accounts and passwords, and then perform further attacks. The database that can be downloaded is mainly an Access database. There are not a few Web sites that use this database. To prevent Access database downloads, you can start from the following aspects.

1) Rename the database

The Database Name Change includes two parts: First, change it to a relatively uncommon name. It is recommended that the name be long enough and use some special characters to prevent attackers from guessing. In addition, change the mdb suffix to asp to prevent the database from being downloaded. Of course, after the database is renamed, the database connection configuration file must also be modified.

2) Change the database path

The site system has a default database path. Due to poor security awareness, many users do not modify the database path when deploying the Web site. Therefore, attackers can easily guess the database path of the site.

To change the database path, you can create an uncommon directory under the site directory and copy the database files to the directory. After changing the database path, you must modify the database connection file of the site system. Generally, the database connection file of the asp site system is conn. asp. Open the file and modify it according to the actual situation to make it consistent with the current database path.

3) Set Directory Permissions

To set the access permissions for the database directory, the principle is to minimize the permissions to prevent abnormal access. Because Web programs run through IIS users, we only need to grant IIS users the read and write permissions, and then remove the script execution permission for this directory through "IIS manager, prevent intruders from obtaining webshells through upload in this directory.

4) Add the extended mdb ing of mdb

For files that cannot be parsed by IIS, the download dialog box is displayed for users to download. You can add an extended mdb ing to mdb in the IIS manager to prevent the database from being downloaded. The setting method is as follows: Open the IIS manager and locate the corresponding Web site, right-click and select "properties", and click "main directory> Configuration> ing" in sequence ", add in "application extension. mdb file application parsing. As for the executable file used for parsing it, you can make your choice as long as attackers cannot access the database file.

5) database Transformation

The idea is to change the database suffix. mdb) to. asp, and then add a NotDownLoad table to the database to prevent the database from being downloaded. The procedure is as follows:

First create a. asp file notdown. asp). The Code is as follows:

Then run notdown on the server. asp, so that the notdownload data table containing the notdown field is added to the database to prevent database downloads, because the value of notdown is "<% ", asp is running because the "%>" Close mark is missing and access is denied. Download will certainly fail.