Securing Web Database

Discussion in 'ASP General' started by Prabhat, Nov 1, 2005.

  1. Prabhat

    Prabhat Guest

    Hi All,

    I have a website setup which has MS-Access DB. The web pages are in ASP and
    uses ADO to connect to DB. The DB is located in the Folder "/Database". I
    have the Connection string setup in the Global.asa file.

    As my virtual Directory is "/" and all files and folders including the
    "Database" folder are with in the folder so any one who knows the Database
    folder name and database name can directly download the database from the
    website.

    The physical Directory for the virtual directory is: -

    d:\mywebsite
    d:\mywebsite\database
    d:\mywebsite\DLLs
    d:\mywebsite\images
    d:\mywebsite\include
    d:\mywebsite\stylesheet
    d:\mywebsite\template

    How Can I restrict the database to be access directly from web? Please
    suggest all alternatives that I can opt for.

    Thanks
    Prabhat
    Prabhat, Nov 1, 2005
    #1
    1. Advertising

  2. Prabhat

    David Morgan Guest

    Put the database above d:\mywebsite.

    Something like:

    d:\databases\mywebsite.mdb


    "Prabhat" <> wrote in message
    news:...
    > Hi All,
    >
    > I have a website setup which has MS-Access DB. The web pages are in ASP

    and
    > uses ADO to connect to DB. The DB is located in the Folder "/Database". I
    > have the Connection string setup in the Global.asa file.
    >
    > As my virtual Directory is "/" and all files and folders including the
    > "Database" folder are with in the folder so any one who knows the Database
    > folder name and database name can directly download the database from the
    > website.
    >
    > The physical Directory for the virtual directory is: -
    >
    > d:\mywebsite
    > d:\mywebsite\database
    > d:\mywebsite\DLLs
    > d:\mywebsite\images
    > d:\mywebsite\include
    > d:\mywebsite\stylesheet
    > d:\mywebsite\template
    >
    > How Can I restrict the database to be access directly from web? Please
    > suggest all alternatives that I can opt for.
    >
    > Thanks
    > Prabhat
    >
    >
    David Morgan, Nov 1, 2005
    #2
    1. Advertising

  3. Prabhat wrote:
    >
    > How Can I restrict the database to be access directly from web? Please
    > suggest all alternatives that I can opt for.
    >

    The most common, and most effective, solution is to put the database outside
    of the wwwroot folder. There is no need to have it in the web folder where
    it can be browsed to.

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Nov 1, 2005
    #3
  4. Prabhat

    Prabhat Guest

    "David Morgan" <> wrote in
    message news:%...
    > Put the database above d:\mywebsite.
    >
    > Something like:
    >
    > d:\databases\mywebsite.mdb
    >
    >

    Hi David,

    Does that require any security settings in Windows / for windows users? Or
    will that work with out any settings?

    Thanks
    Prabhat
    Prabhat, Nov 1, 2005
    #4
  5. Prabhat

    Prabhat Guest

    "Bob Barrows [MVP]" <> wrote in message
    news:...
    > Prabhat wrote:
    >>
    >> How Can I restrict the database to be access directly from web? Please
    >> suggest all alternatives that I can opt for.
    >>

    > The most common, and most effective, solution is to put the database
    > outside
    > of the wwwroot folder. There is no need to have it in the web folder where
    > it can be browsed to.
    >


    OK Thanks for that. But keeping the DB outside the web share folder will
    require any user privilage settings?

    Thanks
    Prabhat
    Prabhat, Nov 1, 2005
    #5
  6. Prabhat

    David Morgan Guest

    It is most likely that any folder created off the root will have Everyone
    Full Access. (This is quite handy when working with Access DBs.)

    It should work without any settings. You'll soon know if it works and
    security is well documented on http://www.aspfaq.com/

    Regards

    David


    "Prabhat" <> wrote in message
    news:%...
    >
    > "David Morgan" <> wrote in
    > message news:%...
    > > Put the database above d:\mywebsite.
    > >
    > > Something like:
    > >
    > > d:\databases\mywebsite.mdb
    > >
    > >

    > Hi David,
    >
    > Does that require any security settings in Windows / for windows users? Or
    > will that work with out any settings?
    >
    > Thanks
    > Prabhat
    >
    >
    David Morgan, Nov 1, 2005
    #6
  7. Prabhat

    Prabhat Guest

    "David Morgan" <> wrote in
    message news:...
    > It is most likely that any folder created off the root will have Everyone
    > Full Access. (This is quite handy when working with Access DBs.)
    >
    > It should work without any settings. You'll soon know if it works and
    > security is well documented on http://www.aspfaq.com/
    >
    > Regards
    >
    > David
    >


    I will do that. Thanks for that info.

    Prabhat
    Prabhat, Nov 1, 2005
    #7
  8. Prabhat wrote:
    > "Bob Barrows [MVP]" <> wrote in message
    > news:...
    >> Prabhat wrote:
    >>>
    >>> How Can I restrict the database to be access directly from web?
    >>> Please suggest all alternatives that I can opt for.
    >>>

    >> The most common, and most effective, solution is to put the database
    >> outside
    >> of the wwwroot folder. There is no need to have it in the web folder
    >> where it can be browsed to.
    >>

    >
    > OK Thanks for that. But keeping the DB outside the web share folder
    > will require any user privilage settings?
    >

    If using Anonymous, then the IUSR and IWAM accounts will require modify
    access to the folder containing the database. otherwise, all users will
    require that level of permission.

    --
    Microsoft MVP -- ASP/ASP.NET
    Please reply to the newsgroup. The email account listed in my From
    header is my spam trap, so I don't check it very often. You will get a
    quicker response by posting to the newsgroup.
    Bob Barrows [MVP], Nov 1, 2005
    #8
  9. I recommend the same as the others, but if you can't do it that way then you
    could rename the file something obscure and give it an HTM extension (like
    "fh496jfu6.htm"). The browser would (assuming they ever figured the name
    out) always try to render it rather than download it and it would of course
    fail to display. Your connection string would have to be altered to match
    the name and I don't think it will care what the file extension is,..I don't
    think it has to be MDB extension to work.

    Obviously I don't think that is the best solution, but it might work if that
    is all you are able to do. I'll admit that I haven't tested it,...it is
    just a brainstorm,...I guess I got bored.

    --
    Phillip Windell [MCP, MVP, CCNA]
    www.wandtv.com
    -----------------------------------------------------
    Understanding the ISA 2004 Access Rule Processing
    http://www.isaserver.org/articles/ISA2004_AccessRules.html

    Microsoft Internet Security & Acceleration Server: Guidance
    http://www.microsoft.com/isaserver/techinfo/Guidance/2004.asp
    http://www.microsoft.com/isaserver/techinfo/Guidance/2000.asp

    Microsoft Internet Security & Acceleration Server: Partners
    http://www.microsoft.com/isaserver/partners/default.asp
    -----------------------------------------------------



    "Prabhat" <> wrote in message
    news:%...
    > "Bob Barrows [MVP]" <> wrote in message
    > news:...
    > > Prabhat wrote:
    > >>
    > >> How Can I restrict the database to be access directly from web? Please
    > >> suggest all alternatives that I can opt for.
    > >>

    > > The most common, and most effective, solution is to put the database
    > > outside
    > > of the wwwroot folder. There is no need to have it in the web folder

    where
    > > it can be browsed to.
    > >

    >
    > OK Thanks for that. But keeping the DB outside the web share folder will
    > require any user privilage settings?
    >
    > Thanks
    > Prabhat
    >
    >
    Phillip Windell, Nov 1, 2005
    #9
  10. Prabhat

    Prabhat Guest

    "Bob Barrows [MVP]" <> wrote in message
    news:...

    > If using Anonymous, then the IUSR and IWAM accounts will require modify
    > access to the folder containing the database. otherwise, all users will
    > require that level of permission.


    Thanks for that info. My website using Anonymous access so I think I have to
    give permissin for both IUSR and IWAM user.

    Prabhat
    Prabhat, Nov 2, 2005
    #10
  11. Prabhat

    Prabhat Guest

    "Phillip Windell" <@.> wrote in message
    news:...
    > I recommend the same as the others, but if you can't do it that way then

    you
    > could rename the file something obscure and give it an HTM extension (like
    > "fh496jfu6.htm"). The browser would (assuming they ever figured the name
    > out) always try to render it rather than download it and it would of

    course
    > fail to display. Your connection string would have to be altered to match
    > the name and I don't think it will care what the file extension is,..I

    don't
    > think it has to be MDB extension to work.
    >
    > Obviously I don't think that is the best solution, but it might work if

    that
    > is all you are able to do. I'll admit that I haven't tested it,...it is
    > just a brainstorm,...I guess I got bored.


    Good solution, But I have to see if the other extension will work or not.
    But as you told this is not the best solution, and as other suggested to
    move to other folder avove wwwroot so I will go for that, But still will try
    to see if the extension change will work or not.

    Thanks
    Prabhat
    Prabhat, Nov 2, 2005
    #11
  12. Prabhat

    Mark Schupp Guest

    Do you have a directory on your site that is set to not allow IIS to read
    from it (cgi-bin directories are usually like this)? If so, put the DB in
    there. If not, can you create such a directory (or have your ISP create it)?

    --
    --Mark Schupp


    "Prabhat" <> wrote in message
    news:...
    >
    > "Bob Barrows [MVP]" <> wrote in message
    > news:...
    >
    >> If using Anonymous, then the IUSR and IWAM accounts will require modify
    >> access to the folder containing the database. otherwise, all users will
    >> require that level of permission.

    >
    > Thanks for that info. My website using Anonymous access so I think I have
    > to
    > give permissin for both IUSR and IWAM user.
    >
    > Prabhat
    >
    >
    Mark Schupp, Nov 2, 2005
    #12
  13. Prabhat

    PJones Guest

    http://support.cjwsoft.com/code/code_info.asp?TID=107&KW=download database


    "Prabhat" <> wrote in message
    news:...
    > Hi All,
    >
    > I have a website setup which has MS-Access DB. The web pages are in ASP
    > and uses ADO to connect to DB. The DB is located in the Folder
    > "/Database". I have the Connection string setup in the Global.asa file.
    >
    > As my virtual Directory is "/" and all files and folders including the
    > "Database" folder are with in the folder so any one who knows the Database
    > folder name and database name can directly download the database from the
    > website.
    >
    > The physical Directory for the virtual directory is: -
    >
    > d:\mywebsite
    > d:\mywebsite\database
    > d:\mywebsite\DLLs
    > d:\mywebsite\images
    > d:\mywebsite\include
    > d:\mywebsite\stylesheet
    > d:\mywebsite\template
    >
    > How Can I restrict the database to be access directly from web? Please
    > suggest all alternatives that I can opt for.
    >
    > Thanks
    > Prabhat
    >
    >
    PJones, Nov 27, 2005
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Steve C. Orr [MVP, MCSD]

    Securing dB connection string in Web.config

    Steve C. Orr [MVP, MCSD], May 21, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    722
    Rick Spiewak
    May 22, 2004
  2. TK
    Replies:
    1
    Views:
    416
    Hans Kesting
    Jun 24, 2004
  3. Scott McChesney

    Securing a web service

    Scott McChesney, Jan 11, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    351
    Mujtaba Syed
    Jan 12, 2005
  4. A P
    Replies:
    3
    Views:
    357
  5. Securing a database

    , Jan 23, 2009, in forum: Python
    Replies:
    9
    Views:
    280
Loading...

Share This Page