Nine methods to prevent access database downloads

Source: Internet
Author: User
Tags mdb database stack trace asp net ntfs permissions

Introduction: I tried it with animator yesterday and renamed the data. MDB file to the Data. asp file and put it in the wwwroot directory. Then input data in IE. after ASP path, ie is displayed blank. Right-click to view the source file, jump out of notepad, and save the content. MDB file, opened with access, found that the password is required, that is, at least the file header is damaged.
Use flashget to download the data. asp file and save it as the data. MDB file. You can find that the file is intact with access !!! As you can see, some programmers thought it was wrong to change the MDB suffix to ASP to prevent downloading! Downloading background databases is a terrible disaster for an ASP + A ccess website. I found articles from various parties today and summarized the following nine methods to prevent the database from being downloaded (please add): & nbsp;

1. Use your imagination to modify the database file name
Needless to say, this is the most lazy method, but if the attacker obtains the database path through a third-party channel), it will be done. For example, if an attacker could only obtain the list permission and accidentally saw the database path, he could download the database and study it. In addition, the data file size is usually relatively large, and hidden file names cannot be concealed. Therefore, the confidentiality is the lowest.

2. Change the database name suffix to Asa, ASP, etc.

This method must be used with some settings. Otherwise, the situation at the beginning of this article will appear.

(1) Add binary Fields

 

First, use access to open the mdb database, switch "table" in "object" to "query", and double-click "create query in design view". In the displayed "display table" window, if no table is added, click "close". In this case, an "SQL" button is added to the "toolbar". Click this button or right-click the "query" window, select "SQL View" to open a query window. 1. In fact, this window is the access SQL command input window (hedgehog prompt: In the MSSQL database, you can use the "query analyzer" to debug SQL statements. In the ACCESS database, you can use this method to debug SQL statements ).

 

Next, you can create an anti-download field, which is divided into two steps:

Step 1: first Create a Table and enter the following content in the SQL command window: "Create Table [nodown] ([jmdcw] oleobject )"
Click "!" In the toolbar. In this way, a "nodown" table will be created in the current database. The field name is called "jmdcw" and the field type is "OLE object ".

Step 2: change the content in the SQL query window to the following command: "Insert into [nodown] (jmdcw) values (0x3C25 )"
This statement inserts "0x3C25" data into the "jmdcw" Field of the "nodown" table ("0x3C25" is a hexadecimal value of the character "<% ).

After the execution is complete, check the "table" in the database again, and you will find that there is an additional "nodown" table. After opening the table, effect 2 is displayed, and the field displays "Long binary data ", look! Is it consistent with the anti-download field in some professional ASP programs!

 

Finally, change the database extension "MDB" to "ASP" and test it in local IIS. The returned information is as follows:

Error Type:
Active Server Pages, ASP 0116 (0x80004005)
The Script block lacks the Script close mark (%> ).

Because the previous insert is "<%", when the database is changed to ASP format, the error "script disabling Flag missing" will appear. Here, the error is a good thing! Because it indicates that the anti-download setting above is successful!

 

(2) If you add <% or %> to this file, IIS will parse the file according to the ASP syntax, and then reports the 500 error, which cannot be downloaded. However, it is useless to simply add <% in the text or remarks field of the database, because access will process the content, it will exist in the database in the form of <%, invalid! The correct method is to store <% Into the OLE object field, so that our goal can be achieved. & Nbs p;
Method:
First, use NotePad to create a text file whose content is <%.
Next, use access to open your database file, create a new table, create a name, add an OLE object field to the table, add a record, and insert the text file created earlier, if the operation is correct, you can see a new record named "data packet. You can.

3. Add "#" before the Database Name "#"
You only need to add # To the front Name of the database file, and then modify the database address in the database connection file (such as Conn. asp. The principle is to download only recognize the part of the front Name of & nbsp; #, for the automatic removal of the back, for example, you want to download: http://www.pcdigest.com/date/# 123.mdb( if there is ). Both IE and flashget are http://www.test.com/dat E/index.htm (index. asp, default. jsp, etc. The home page document in IIS settings)
In addition, retaining spaces in database file names also plays a similar role. Due to the special nature of the HTTP protocol for address resolution, spaces are encoded as "%", such as http: // www.test.com/date/123; 456.mdb, http: // www. test.com/date/123 % 456.mdb. However, our directory does not have the 123% 456. MDB file at all, and the download is invalid. After such modification, even if you expose the database address, it is generally impossible for others to download it!

4. Encrypted Database
First, choose tools> Security> encryption/Decryption database, and select the database (for example, employer. mdb), and then click OK. The window "Save the database as encrypted database" appears, saving as: employer1.mdb. Then employer. mdb will be encoded and stored as employer1.mdb .. note that the above actions are not to set a password for the database, but to encode the database files to prevent others from using other tools to view the contents of the database files.
Next, we will encrypt the database. First, we will open the encoded e mployer1.mdb and select the "exclusive" mode when opening it. Select "tools-> Security-> set Database Password" in the menu, and enter the password. In this way, even if someone else gets the employee 1.mdb file, he cannot see emplo yer1.mdb without a password.
After encryption, modify the database connection page, for example:
Conn. open "driver = {microsoft access driver & nb sp; (*. mdb)}; uid = admin; pwd = Database Password; dbq = database path"
After this modification, even if the database is downloaded, it cannot be opened by others (provided that the password on your database connection page is not leaked)
However, it is worth noting that the encryption mechanism of the Access database is relatively simple, and it is easy to decrypt even if a password is set. The database system creates an encryption string by comparing the password entered by the user with a fixed key and stores it in *. the mdb file starts from the address "& H42. Therefore, a good programmer can easily create dozens of rows of small programs to easily obtain the password of any Access database. Therefore, as long as the database is downloaded, its information security is still unknown.

5. Store the database outside the WEB directory or store the database connection file in another virtual directory.
If your web directory is E: \ webroot, you can put the database in the E: \ data folder and modify the database connection address: ".. /data/Database Name ", so that the database can be called normally, but cannot be downloaded, because it is not in the web directory! This method is generally not suitable for users who buy virtual space.

6. Use the ODBC data source.
In programming such as ASP, if conditions are met, try to use the ODBC Data Source. Do not write the database name in the program. Otherwise, the database name will be lost along with the password of the ASP source code. For example: dbpath = server. mappath (".. /123/ABC/asfadf. mdb ")
Conn. Open "driver = {Microsoft Access driver & nb sp; (*. mdb)}; DBQ =" & dbpath
It can be seen that even if the database name gets weird, the hidden directory goes deeper, and the ASP source code is easily downloaded after the password is lost. If you use an ODBC data source, the following problem does not exist: Conn. open "ODBC-DSN name", but this is more annoying, if you want to re-set the data source, more convenient way please see the 7, 8 method!

7. Add the extended MDB ing of database names such as MDB
This method is implemented by modifying the IIS settings. This method is suitable for friends who have control over IIS and is not suitable for users who buy virtual hosts (unless the Administrator has already set it ). I think this method is the best at present. The database of the entire site can be modified to prevent downloading. You do not need to modify the code to prevent download even if the target address is exposed. & N bsp;
In IIS properties --- main directory --- configuration --- ing --- application extension, add the application parsing of the. MDB file. Note that the selected d ll (or EXE) here does not seem to be arbitrary, and the MDB file can still be downloaded due to improper selection. It is best not to select ASP. DLL. You can perform multiple tests on your own.
In this way, download the database, for example, http://www.test.com/data/dvbbs6.mdb. An error occurs (404 or 50 0)

8: advantages of using. net
The wooden bird on the Internet has written a "WBAl anti-leech tool" to prevent illegal file downloads ". You can log on to http: // www.9seek.
However, it only prevents non-local downloads and does not provide a real anti-download function. However, this method is not much different from the 5 method. You can modify the. NET file to achieve local download! . Com/WBAl /;

Only 7th and 8 of these methods are uniformly modified. After a configuration is modified, the database of the entire site can be prevented from being downloaded. The other methods need to modify the Database Name and connection file respectively, it is troublesome, but this is also the only option for virtual host friends!

In fact, 6th methods should be extended by 5th methods, which can implement special functions, but are not supported. net host or for fear of setup troubles, we still use the 5th method directly. By default, the 6th methods can still be copied and connected to the same host's forum or message book for publishing, then you can click Download (because the reference page is from the same host)

9. use NTFS partition File Permission settings (by percyboy)
We already know that ASP. NET uses ADO. Net to access the database and can access the ACCESS database through the oledb connection-one of our very common low-end databases. This article discusses ASP. NET may see several error prompts, from which you can see the database files created by & nb sp; Access 2000 and Access XP, when the access error occurs, there will be a different error message. Hope to help you. Another key point is to use this article to give you a new understanding of the NTFS permission settings for Access database files in ASP. NET.

 

(1) experiment process

For the sake of convenience, let's take an experiment: The application is/test, and the data inventory is stored in D: \ wwwr oot \ test \ data \ db1.mdb. We already know it in ASP. net is called; ASPnet virtual user identity to access the database, we need to give this account with specific NTFS permissions to Make ASP.. Net program runs normally.

 

To get the strictest NTFS permission settings, we will give the program the lowest NTFS permission at the beginning of the experiment:

A) grant the following permissions to ASPnet in the d: \ wwwroot \ test \ data \ Folder:
Reject allowed
Full Control & n bsp; □& nbsp; □
Modify & nbs p; □□
Read and run & nbsp; √ □;
List folder directories; √ □
Read & nbs p; √ □
Write & nbs p; □□

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:
√ Allow propagation of inherited permissions from parent to this object

 

1.1 For An aspx program that only contains the "SELECT" command, the above permission settings are not available during running, that is, the above permissions have met the operation of such programs.

 

1.2 For aspx programs that contain commands such as "UPDATE" "INSERT" "UPDATE ,;

(A) If db1.mdb is the database created in Access 2000, the following error occurs:

Server error in the "/test" application.
---------------------------------------
The Microsoft Jet Database Engine cannot open the file 'd: \ wwwroot \ test \ data \'. & N bsp; it has been opened exclusively by another user or has no permission to view data.
Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.
Exception details: System. Data. OleDb. OleDbException: The Microsof t Jet Database Engine cannot open the file 'd: \ wwwroot \ test \ data \'. It has been opened exclusively by another user or has no permission to view data.

 

(B) If db1.mdb is a database created by Access XP, the following error occurs:

Server error in the "/test" application.
----------------------------------------------
The operation must use an updatable query.
Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.
Exception details: System. Data. OleDb. OleDbException: The operation must use an updatable query.

 

(C) Preliminary Analysis of the Cause: Because there are commands such as "UPDATE" "INSERT" "UPDATE", write operations must be performed on the database file itself. Therefore, the preceding permissions cannot meet this requirement, we need to further release the permissions.

We release some permissions,
A) D: \ wwwroot \ test \ data \ Folder unchanged: & nbsp;

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:
Reject allowed
Full Control & n bsp; □& nbsp; □
Modify & nbs p; □□
Read and run & nbsp; √ □;
List folder directories; √ □
Read & nbs p; √ □
Write & nbs p; √ □

 

 

1.3 open the permission and continue the experiment,

(A) If db1.mdb is the database created in Access 2000, the following error occurs:

Server error in the "/test" application.
------------------------------------------
Files cannot be locked.
Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.
Exception details: System. Data. OleDb. OleDbException: the file cannot be locked. & Nbsp;

 

(B) If db1.mdb is a database created by Access XP, no error occurs.

 

(C) Preliminary Analysis of the Cause: We found that a *. ldb file with the same name will be generated in the directory where the Access database is opened, which is a lock mark of Access. In view of this, we guess that when the user ASPNET accesses the Access database, it also needs to generate a lock mark, and this directory does not allow it to write, so an error occurs. The reason why the database created by Access XP does not have this error is unknown.

We further open the permissions,
A) D: \ wwwroot \ test \ data \ folder to give the user ASPNET the following permissions:
Reject allowed
Full Control □□
Modify □□
Read and run √ □;
List folder directories √ □
Read √ □
Write √ □

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:
√ Allow propagation of inherited permissions from parent to this object

 

 

1.4 continue the experiment and find that the error has been resolved. The above permission is the "minimum permission" we need to release ".

(A) If db1.mdb is a database created in Access 2000, we will find a small problem: generated *. ldb files will not be deleted by themselves. The files still exist after access, but this problem will not affect ASP.. NET.

 

(B) If db1.mdb is a database created by Access XP, the above similar problem does not occur.

 

(C) Preliminary Analysis of the Cause: We only gave ASPNET the permission to write folders and did not have the permission to modify them. Therefore, once a file is written, its content cannot be modified ,*. ldb cannot be deleted.

 

If you have to solve this problem, you can further release the permission:
A) D: \ wwwroot \ test \ data \ folder to give the user ASPNET the following permissions:
Reject allowed
Full Control □□
Change √ □
Read and run √ □;
List folder directories √ □
Read √ □
Write √ □

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:
√ Allow propagation of inherited permissions from parent to this object

 

 

1.5 is included in the experiment. In another case, we open and edit db1.mdb in Acce ss and access ASP. NET at the same time.

(A) If db1.mdb is a database created in Access 2000, we find that there is no problem.

(B) If db1.mdb is a database created by Access XP, the following error occurs:

The server error in the "/zhao" application.
------------------------------------------------
You cannot use ''; the file is already in use.
Note: An unhandled exception occurs during the execution of the current Web request. Check the stack trace information for details about the error and the source of the error in the code.
Exception details: System. Data. OleDb. OleDbException: The & nbs p; ''file cannot be used.

 

(C) Preliminary Analysis of the cause: the Access database is a single-user single-threaded database. When we open and edit the database file in Access & n bsp, it is actually the current Windows user (such as Administrator) identity to open the database, while ASP. by default, the asp net virtual user (affiliated to the Users group) is used, which has a lower level than Administrator. Therefore, the user cannot "snatch" the permission with Adminis trator, so a conflict error occurs. We do not need to discuss the situation where Access 2000 ignores this issue. It may be that Access 2000 does not consider so many factors. & Nbsp;

 

1.6 Add another situation: Change the db1.mdb attribute to "read-only". Both & nbs p; Access 2000 and Access XP will be displayed respectively with & nbsp; error messages with the same errors in 1.2.

 

(2) experiment conclusion

(1) first, let's repeat the origin of the NTFS permission settings for Access database files:

In ASP. by default, NET accesses and operates databases as a virtual user called ASPNET & nbsp, you can see this user in "Control Panel"-"Administrative Tools"-"Computer Management"-"local users and groups"-"users". The default value is:

Full name: ASP. NET computer account & nb sp;
The account used to run ASP. NET & nb sp;( aspnet_wp.exe.
Affiliated to: Users Group.

Using a user in the Users group to perform file operations and database operations is much less risky than using an Administrators Group. This is also ASP. NET in terms of security.

Since such a user needs to access and operate the database file itself, we need to grant it certain NTFS permissions to allow its access. Obviously, if you do not have the NTFS permission, ASPNET will not be able to access or operate the database, and the errors shown in the above experiment will appear.

(2) After the above experiment, we already know that the following NTFS permission settings can meet general requirements: & nb sp;

A) D: \ wwwroot \ test \ data \ folder to give the user ASPNET the following permissions:
Reject allowed
Full Control □□
Modify □□
Read and run √ □
List folder directories √ □
Read √ □
Write √ □

B) The D: \ wwwroot \ test \ data \ db1.mdb file itself grants the user ASPNET the following permissions:
√ Allow propagation of inherited permissions from parent to this object

At the same time, we also noticed that whether db1.mdb is a "read-only" file also affects asp net access.

 

(3) The above permission settings can be directly set to the ASPNET user, or to the Use rs group, or directly to the Everyone group. Because ASPNET is affiliated to the Users group, you can set permissions for ASPNET through the user group.

 

(4) set the NTFS permission in the "properties" dialog box-"security" tab after right-clicking a file or folder. Generally, you can give the Adminitrators group full control permissions, and do not easily tick in "deny", related to & n bsp; NTFS permission setting skills, consult your network administrator and network security experts.

Note: Partition in FAT and FAT32 format does not support NTFS permission. & Nb sp;

 

(5) For Windows 2000 series and Windows Server 2003 series, the "Security" tab is easily found by default, but the "Security" tab in Windows XP Pr ofessional is disabled by default, you can remove "√" from "Advanced Settings" on the "control panel"-"Folder Options"-"View" tab and "use simple sharing (recommended, after "OK", follow the above method again to see the "Security" tab. & Nbs p;

 

==============
To sum up, the 2, 3, and 4 methods are the most basic and effective method to prevent database downloads. They are applicable to network administrators with server jurisdiction, it is also suitable for VM users. We recommend that each producer use these three methods at the same time.

If you have jurisdiction over the server, we recommend that you add Method 9 to improve the security of your ACCESS database.
 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.