Securing ASP Data Access

Enter the Metabase

To do what I am suggesting, you are going to need some handy tools. One of these is the Metabase Editor, or MetaEdit for short. This tool is generously provided by Microsoft, and comes included in the IIS Resource Kit. You can also download it from Microsoft at:

http://support.microsoft.com/support/kb/articles/Q232/0/68.ASP.

Do yourself a favor and read the knowledge base article if you haven't already. As the name implies, MetaEdit functions with the metabase much like our old friend RegEdit did with the registry. It also shares the same caveat, that you can do a considerable amount of damage with it. Before you face that risk, back up your metabase from the IIS management console, preferably several times. It is extremely important to do this when you are writing code that manipulates the metabase itself, because you will want to be able to undo any potentially bad changes it makes.

Once you have downloaded and installed MetaEdit on your web server, open it and take a look around. You'll see that the metabase has a tree structure, very similar to the registry, or even Active Directory. In fact, like Active Directory (or any LDAP database for that matter) the metabase has a schema. The schema defines all the data types that can be defined within the metabase, in which containers they are valid, and other vital information.

So, this is where we'll begin. You need to define data types that will store the username, password, and connection string for our database. If you were connecting to LDAP or Active Directory, you'd also need to create data types for these connections. There are three paths in which your new data type will be defined. These are each listed under the /Schema/Properties path, and are Defaults, Names, and Types. If you take a direct look at the values under these paths, you can see that they are almost impossible to understand, because much of the information is stored in binary. Fortunately, you can extend the schema via the ADSI, or Active Directory Services Interface, a COM object API that allows us to interact with the metabase, as well as other directory structures. Through ADSI, we can use VBScript or ASP to bind to the metabase and define our values.

Older versions of Windows NT4.0 may not have the ADSI installed. If this is the case on your server, you can download it from Microsoft from the following URL:

http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp

You might also like...

Comments

About the author

Thomas C. Carpe United States

I have been working in IT since 1993. I founded CarpeDiem Business Internet Systems in 1995. In 2000 we incroporated and took on two partners. Its really a grat lot of fun, and I enjoy working o...

Interested in writing for us? Find out more.

Contribute

Why not write for us? Or you could submit an event or a user group in your area. Alternatively just tell us what you think!

Our tools

We've got automatic conversion tools to convert C# to VB.NET, VB.NET to C#. Also you can compress javascript and compress css and generate sql connection strings.

“You can stand on the shoulders of giants OR a big enough pile of dwarfs, works either way.”