Securing ASP Data Access

The Problems (2)

SQL databases are not the only thing that is susceptible to this kind of attack either. The administrator account I mentioned above was being used to access an LDAP directory. Many applications and frameworks that tie into ASP will require secured access. This is to prevent anonymous web users from accessing the API directly. But in so doing, they also expose us to the serious threat of compromising our security credentials. These can be SQL Server or other database accounts, LDAP directory accounts, or even privileged Windows user accounts. Literally, anything that needs this kind of protection can be at risk in this way.

So, what's a responsible programmer to do? Robert Howard, author of Site Server 3.0 Personalization and Membership (available from Wrox Press) recommends storing this critical information in the registry. There's only one problem. While Site Server and other high-end systems built on ASP often include a means of accessing the registry, Microsoft has (some would say thoughtfully) not included a standardized means of manipulating the registry from ASP. To his credit, Robert also briefly mentions the alternative we will illustrate today, even calling it preferable to using the registry. That alternative is to store our access codes in the IIS metabase.

Did I say preferable? Yes. In fact, the metabase is where IIS stores the usernames and passwords it uses to support itself and ASP. Unlike the registry, it not only includes a means of securing this content, but also a means for hiding passwords from casual observation. And—here's the great news—it comes built into IIS from version four onward.

You might also like...

Comments

About the author

Thomas C. Carpe United States

I have been working in IT since 1993. I founded CarpeDiem Business Internet Systems in 1995. In 2000 we incroporated and took on two partners. Its really a grat lot of fun, and I enjoy working o...

Interested in writing for us? Find out more.

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“There are 10 types of people in the world, those who can read binary, and those who can't.”