Solutions to ASP injection application Vulnerabilities

1. Do not use sa for accounts connecting ASP programs to SQL Server, or any accounts belonging to the Sysadmin group. do not have high permissions for application services, A general user with the db_owner permission should be used to connect to the database.
2. The WEB application Server and the DB Server use different machines for storage, and it is best to use the firewall to perform logical isolation between them, because apart from the SQL Server with programs detecting sa password-less SQL Server, SQL Server itself and a large number of extended stored procedures are also vulnerable to overflow attacks.
3. Try not to connect the database server to the public network. If you need to directly provide public network connection storage, consider using a non-standard port and limiting IP addresses for connection.
4. SA must be a strong password, especially in versions earlier than SQL Server 2000. The sa account does not have a password when SQL is installed by default, generally, the Administrator forgets or is afraid of trouble after installing the software without changing the password.
5. Change the default Web virtual path. Do not use the default <System Disk> InetpubWWWRoot path after IIS is installed. Otherwise, you can easily use the Save As described above to start your work in this directory.
6. Delete the extended stored procedure that is not normally used but has powerful functions.
7. Use Network and Host IDS to monitor the running status of important systems.
8. check whether any new patch is required. Currently, the latest SQL2000 patch package is SP4.
9. use ASP or ASP. NET to check and limit the type and length of input variables on the server, and filter out unnecessary content. Note that these checks should not only be placed on the front end, but also on the backend. The front-end uses the MaxLength attribute of the Html Input tag to limit the length of the Input, or uses a JScript program to limit the length of the text field, but you only need to save the webpage, after the content is modified (generally, you only need to rewrite the Form Action attribute and the MaxLength attribute of Input), and then re-open the changed page in the browser to avoid browser front-end checks.
10. Use Error tolerance statements instead of displaying Error messages to the front end. Use the On Error Resume Next in VBScript syntax to block SQL Error prompts and use If Err. number <> 0 Then: the error handling method. The system automatically redirects the error to the appropriate error handling webpage, so that the system is more stable, moreover, it is not easy for hackers to identify the internal operating methods of the system through error information. Or, you can also modify the WinntHelpiisHelpcommon500-100.asp preset page, the easiest way is to rename it. Example:
On error resume next
Sql2 = "select * from dv_admin where username = '" & ReqStr ("username ")&"'"
11. Use the filter and anti-injection functions to filter out some special characters. Examples of anti-injection functions:
'---------------------------------------------------------------
Function ReqNum (StrName)/* numeric variable filtering */
ReqNum = Request (StrName)
If Not isNumeric (ReqNum) then
Response. Write "the parameter must be numeric !" Response. End
End if
End Function
Function ReqStr (StrName)/* search filter */
ReqStr = Replace (Request (StrName), "'", "'")/* use the replace function to shield single quotes */
End Function
The following three SQL statements describe the call method:
1. SQL = "select * from dv_admin where username =" & ReqNum ("username") 2. SQL = "select * from dv_admin where username = '" & ReqStr ("username ") & "'" 3. SQL = "select * from username where UserName like' %" & ReqStr ("username") & "% '"
12. If you want to change the SQL Server execution service account, the account requires the following permissions:
Log On Locally
Log On as a Batch
Access this computer from the Network
Log on as service
Replace a process level token
Act as part of the operating system
Increase quotas
13. Use the Microsoft Baseline Security Analyzer (MBSA) to evaluate the server's security and change the system settings as per its recommendations.
MBSA is a tool that scans insecure configurations of multiple Microsoft products, including SQL Server and Microsoft SQL Server 2000 Desktop Engine (MSDE 2000 ). It can run locally or through the network.

This tool detects the installation of SQL Server for the following issues:
1) Too many sysadmin fixed server role members. 2) grant other roles other than sysadmin the right to create a CmdExec job. 3) Empty or simple password. 4) Fragile Authentication mode. 5) grant too many rights to the Administrator group. 6) incorrect access control table (ACL) in the SQL Server data directory ). 7) use the plain text sa password in the installation file. 8) grant excessive permissions to the guest account. 9) run SQL Server in a system that is also a domain controller. 10) if the owner (Everyone) group is incorrectly configured, access to the specific registry key is provided. 11) the SQL Server service account is incorrectly configured. 12) do not install necessary service packages and security updates.
14. Disable the IIS error prompt to prevent attackers from obtaining the ASP error prompt: