| Groups | Blog | Home |
iis security : MS Access on IIS 5.0
1 Is for internal use only while the other 2 are used to display postings and have users submit information via PHP pages. What is the best way to restrict access to these databases? Either within MS Access, IIS or NTFS file and folder permissions? Any help would be greatly appreciated. My manager is threatening to migrate everthing to Apache and MySQL! We've already had a hacker download 1 of the databases and with that was able to access restricted areas of the site. Can we disable the ability to download an access mdb database? Thanks,
[quoted text, click to view]
Robin wrote: > I have 3 MS Access databases running on IIS 5.0. > > 1 Is for internal use only while the other 2 are used to > display postings and have users submit information via > PHP pages. > > What is the best way to restrict access to these > databases? Either within MS Access, IIS or NTFS file and > folder permissions? The best way is not to have the database within the web directory tree. ASP does not need the database to be within the web directory tree, and this is a very common novice mistake. [quoted text, click to view] > Any help would be greatly appreciated. My manager is > threatening to migrate everthing to Apache and MySQL! I will refrain from making any Microsoft (in)security remarks ;) However... You should always keep an open mind to use the best tool for the job. I would never recommend (and neither does Microsoft) using Access on a web server, other than a VERY low volume site. Access is designed for single user or a small work group, and not for a website that might have hundreds of requests pending at once. If you want to stick with Microsoft products then you should seriously consider using MS SQL Server, or at least you can use MySQL with IIS just fine without switching to Apache. [quoted text, click to view] > We've already had a hacker download 1 of the databases > and with that was able to access restricted areas of the > site. Can we disable the ability to download an access > mdb database? As I said above, if it is not within the web directory tree the is no way for it to be downloaded. [quoted text, click to view] > Thanks, > RS -- Phil Frisbie, Jr. Hawk Software http://www.hawksoft.com
Phil and Jeff.... Thank you so much for responding!
Let me see if I got this straight. The site I inherited is using PHP pages to reference back to the databases which are currently within the web directory. Does this mean all I have to do is the following: 1) Move the databases out of the web directory and create a new folder one of the server's disk then, 2) Restrict access to this folder and databases using NTFS permissions/authentication. But what permissions do I use? Keep in mind some clients are just submitting names and phone numbers and not internal staff. 3) Create new links within the PHP pages to point to the databases and their new location outside the web directory? [quoted text, click to view] >The best way is not to have the database within the web directory tree. ASP does >not need the database to be within the web directory tree, and this is a very >common novice mistake. > > >I will refrain from making any Microsoft (in)security remarks ;) However... > >You should always keep an open mind to use the best tool for the job. I would >never recommend (and neither does Microsoft) using Access on a web server, other >than a VERY low volume site. Access is designed for single user or a small work >group, and not for a website that might have hundreds of requests pending at >once. If you want to stick with Microsoft products then you should seriously >consider using MS SQL Server, or at least you can use MySQL with IIS just fine >without switching to Apache. It is a very low volume server but we were in talks to deploy MySQL but with the recent attack my manager wanted to make changes immediately.
On Mon, 14 Jun 2004 10:12:51 -0700, "Robin"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >I have 3 MS Access databases running on IIS 5.0. > >1 Is for internal use only while the other 2 are used to >display postings and have users submit information via >PHP pages. > >What is the best way to restrict access to these >databases? Either within MS Access, IIS or NTFS file and >folder permissions? Place them outside the web folder heiarchy, use NTFS permissions and authentication. [quoted text, click to view] >Any help would be greatly appreciated. My manager is >threatening to migrate everthing to Apache and MySQL! > >We've already had a hacker download 1 of the databases >and with that was able to access restricted areas of the >site. Can we disable the ability to download an access >mdb database? Put it outside the web heirarchy.
On Mon, 14 Jun 2004 10:12:51 -0700, "Robin"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >I have 3 MS Access databases running on IIS 5.0. > >1 Is for internal use only while the other 2 are used to >display postings and have users submit information via >PHP pages. > >What is the best way to restrict access to these >databases? Either within MS Access, IIS or NTFS file and >folder permissions? > >Any help would be greatly appreciated. My manager is >threatening to migrate everthing to Apache and MySQL! > >We've already had a hacker download 1 of the databases >and with that was able to access restricted areas of the >site. Can we disable the ability to download an access >mdb database? > >Thanks, >RS Robin, Refer to these articles which you may find helpful : How do I protect my Access database (MDB file)? http://www.aspfaq.com/show.asp?id=2454 What are the limitations of MS Access? http://www.aspfaq.com/show.asp?id=2195 Regards, Paul Lynch
On Mon, 14 Jun 2004 19:48:00 -0700, "Robin"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >Phil and Jeff.... Thank you so much for responding! >Let me see if I got this straight. >The site I inherited is using PHP pages to reference back >to the databases which are currently within the web >directory. Does this mean all I have to do is the >following: >1) Move the databases out of the web directory and create >a new folder one of the server's disk then, >2) Restrict access to this folder and databases using >NTFS permissions/authentication. But what permissions do >I use? Keep in mind some clients are just submitting >names and phone numbers and not internal staff. >3) Create new links within the PHP pages to point to the >databases and their new location outside the web >directory? Normally a designer would use an include file for the database connections, but some code this into every page and unfortunately you'd need to change those pages individually. As for permissions, usually just the system account needs access, but if the folder is outside that defined in IIS it can't be accessed by a HTTP request to download it, no matter what security the folder/file has. Also use URLScan if you're on IIS5 to defeat parent paths or directory traversing, and make sure the server has current security patches. Jeff [quoted text, click to view] >>The best way is not to have the database within the web
>directory tree. ASP does >>not need the database to be within the web directory >tree, and this is a very >>common novice mistake. >> > >> >>I will refrain from making any Microsoft (in)security >remarks ;) However... >> >>You should always keep an open mind to use the best tool >for the job. I would >>never recommend (and neither does Microsoft) using >Access on a web server, other >>than a VERY low volume site. Access is designed for >single user or a small work >>group, and not for a website that might have hundreds of >requests pending at >>once. If you want to stick with Microsoft products then >you should seriously >>consider using MS SQL Server, or at least you can use >MySQL with IIS just fine >>without switching to Apache. > >It is a very low volume server but we were in talks to >deploy MySQL but with the recent attack my manager wanted >to make changes immediately. > >Thanks!
I do in fact have an include file which will save me from
having to modify each page. I know this is another problem which I have to fix but I think I can manage this myself *fingers crossed* I moved the databases to another folder but now I can't get the site to pull the info out of them or post into it. Page simply displays blank fields where the data should populate!?!?! What code do I need in the include file? I'd like to avoid configuring any DSN. Currently the code looks something like this: <% Session("databasepath") = "D:\Inetpub\wwwroot\sitename\data\databasename.mdb" %> Do I leave it this way or change it? If I leave it how do I get the database's to work now that I've moved them! Thanks again for your help!!! Very appreciative! [quoted text, click to view] >Normally a designer would use an include file for the
database >connections, but some code this into every page and unfortunately >you'd need to change those pages individually. As for permissions, >usually just the system account needs access, but if the folder is >outside that defined in IIS it can't be accessed by a HTTP request to >download it, no matter what security the folder/file has. Also use >URLScan if you're on IIS5 to defeat parent paths or directory >traversing, and make sure the server has current security patches. >
Thanks for the feedback Paul.
Articles were very interesting. I've read the articles however, I'm confused about one thing. "The Access interface itself has no issues saving or opening an MDB file with any other extension." Does this mean that I need to have some server settings like an ODBC DSN pointing to the database in the first place? If not what server side settings is this referring to? I'm currently using an include file to point to the physical location of the databases (see my reply's to Jeff). Thanks for your help as well! [quoted text, click to view] >Robin,
> >Refer to these articles which you may find helpful : > >How do I protect my Access database (MDB file)? >http://www.aspfaq.com/show.asp?id=2454 > >What are the limitations of MS Access? >http://www.aspfaq.com/show.asp?id=2195 > > >Regards, > >Paul Lynch >MCSE >.
On Wed, 16 Jun 2004 03:05:08 -0700, "Robin"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >Thanks for the feedback Paul. >Articles were very interesting. >I've read the articles however, I'm confused about one >thing. "The Access interface itself has no issues saving >or opening an MDB file with any other extension." Does >this mean that I need to have some server settings like >an ODBC DSN pointing to the database in the first place? >If not what server side settings is this referring to? >I'm currently using an include file to point to the >physical location of the databases (see my reply's to >Jeff). > >Thanks for your help as well! I think what the author means is that Access will allow a file to be saved as filename.bbc for example instead of filenename.mdb You don't *need* a DSN, you can code a DSN-less connection instead. See this article for details : What should my connection string look like? http://www.aspfaq.com/show.asp?id=2126 Check the permissions on the folder where you have placed your db file as well as per this article : http://www.aspfaq.com/show.asp?id=2062 Regards, Paul Lynch
On Wed, 16 Jun 2004 02:56:21 -0700, "Robin"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >I do in fact have an include file which will save me from >having to modify each page. I know this is another >problem which I have to fix but I think I can manage this >myself *fingers crossed* > >I moved the databases to another folder but now I can't >get the site to pull the info out of them or post into >it. Page simply displays blank fields where the data >should populate!?!?! When you move the file, you need to change the connection string to match the new location. [quoted text, click to view] >What code do I need in the include file? I'd like to >avoid configuring any DSN. >Currently the code looks something like this: ><% Session("databasepath") >= "D:\Inetpub\wwwroot\sitename\data\databasename.mdb" %> >Do I leave it this way or change it? If I leave it how >do I get the database's to work now that I've moved them! Change this path to wherever you moved the file. If it's moved to D:\Databases\Sitename\Database.mdb for example, replace the path in your code with the correct path. Jeff [quoted text, click to view] >Thanks again for your help!!!
>Very appreciative! > > >>Normally a designer would use an include file for the >database >>connections, but some code this into every page and >unfortunately >>you'd need to change those pages individually. As for >permissions, >>usually just the system account needs access, but if the >folder is >>outside that defined in IIS it can't be accessed by a >HTTP request to >>download it, no matter what security the folder/file >has. Also use >>URLScan if you're on IIS5 to defeat parent paths or >directory >>traversing, and make sure the server has current >security patches. >> >>Jeff
One other point on moving database files, the Access database requires
that the user account accessing it have MODIFY or better permissions for the folder the database is in. Jeff On Wed, 16 Jun 2004 02:56:21 -0700, "Robin" [quoted text, click to view] <anonymous@discussions.microsoft.com> wrote:
>I do in fact have an include file which will save me from >having to modify each page. I know this is another >problem which I have to fix but I think I can manage this >myself *fingers crossed* > >I moved the databases to another folder but now I can't >get the site to pull the info out of them or post into >it. Page simply displays blank fields where the data >should populate!?!?! > >What code do I need in the include file? I'd like to >avoid configuring any DSN. >Currently the code looks something like this: ><% Session("databasepath") >= "D:\Inetpub\wwwroot\sitename\data\databasename.mdb" %> >Do I leave it this way or change it? If I leave it how >do I get the database's to work now that I've moved them! > >Thanks again for your help!!! >Very appreciative! > > >>Normally a designer would use an include file for the >database >>connections, but some code this into every page and >unfortunately >>you'd need to change those pages individually. As for >permissions, >>usually just the system account needs access, but if the >folder is >>outside that defined in IIS it can't be accessed by a >HTTP request to >>download it, no matter what security the folder/file >has. Also use >>URLScan if you're on IIS5 to defeat parent paths or >directory >>traversing, and make sure the server has current >security patches. >> >>Jeff
Its working like a charm!
Thanks again for all your help! [quoted text, click to view] >-----Original Message-----
>On Wed, 16 Jun 2004 02:56:21 -0700, "Robin" ><anonymous@discussions.microsoft.com> wrote: > >>I do in fact have an include file which will save me from >>having to modify each page. I know this is another >>problem which I have to fix but I think I can manage this >>myself *fingers crossed* >> >>I moved the databases to another folder but now I can't >>get the site to pull the info out of them or post into >>it. Page simply displays blank fields where the data >>should populate!?!?! > >When you move the file, you need to change the connection string to >match the new location. > >>What code do I need in the include file? I'd like to >>avoid configuring any DSN. >>Currently the code looks something like this: >><% Session("databasepath") >>= "D:\Inetpub\wwwroot\sitename\data\databasename.mdb" %> >>Do I leave it this way or change it? If I leave it how >>do I get the database's to work now that I've moved them! > >Change this path to wherever you moved the file. If it's moved to >D:\Databases\Sitename\Database.mdb for example, replace the path in >your code with the correct path. > >Jeff > >>Thanks again for your help!!! >>Very appreciative! >> >> >>>Normally a designer would use an include file for the >>database >>>connections, but some code this into every page and >>unfortunately >>>you'd need to change those pages individually. As for >>permissions, >>>usually just the system account needs access, but if the >>folder is >>>outside that defined in IIS it can't be accessed by a >>HTTP request to >>>download it, no matter what security the folder/file >>has. Also use >>>URLScan if you're on IIS5 to defeat parent paths or >>directory >>>traversing, and make sure the server has current >>security patches. >>> >>>Jeff > >.
Its working great.
Thanks for all your help and advice! It really helped me out. [quoted text, click to view] >-----Original Message-----
>On Wed, 16 Jun 2004 03:05:08 -0700, "Robin" ><anonymous@discussions.microsoft.com> wrote: > >>Thanks for the feedback Paul. >>Articles were very interesting. >>I've read the articles however, I'm confused about one >>thing. "The Access interface itself has no issues saving >>or opening an MDB file with any other extension." Does >>this mean that I need to have some server settings like >>an ODBC DSN pointing to the database in the first place? >>If not what server side settings is this referring to? >>I'm currently using an include file to point to the >>physical location of the databases (see my reply's to >>Jeff). >> >>Thanks for your help as well! > >I think what the author means is that Access will allow a file to be >saved as filename.bbc for example instead of filenename.mdb > >You don't *need* a DSN, you can code a DSN-less connection instead. >See this article for details : > >What should my connection string look like? >http://www.aspfaq.com/show.asp?id=2126 > >Check the permissions on the folder where you have placed your db file >as well as per this article : > >http://www.aspfaq.com/show.asp?id=2062 > > >Regards, > >Paul Lynch >MCSE >.
On Thu, 17 Jun 2004 09:01:08 -0700, "Robin"
[quoted text, click to view] <anonymous@discussions.microsoft.com> wrote: >Its working great. > >Thanks for all your help and advice! It really helped me >out. That's great ! Remember to keep your server up to date with security patches as and when they are released. As always check here and consider signing up for security bulletin notifications : http://www.microsoft.com/security/default.mspx Regards, Paul Lynch
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |