Don't underestimate the importance of proper configuring security settings. If you are not properly configured, you will not only make your ASP application suffer unnecessary tampering, but also hinders your proper users to access your .asp files.
The web server provides a variety of ways to protect your ASP application from unauthorized access and tampering. After you read the security information under this topic, take a certain time to check your Windows NT and Web Server Security Documents.
NTFS permission
You can protect the ASP application files by applying NTFS access for separate files and directories. NTFS permissions are the basis for web server security, which defines a different level of one or a group of users access files and directories. When a user with a Windows NT valid account attempts to access a file with permission restrictions, the computer will check the file access control table (ACL). This table defines the permissions given by different users and user groups. If the user's account has permission to open a file, the computer allows the user to access the file. For example, the owner of the web application on the web server needs to have "change" permissions to view, change, and delete the application's .asp file. However, public users accessing the application should only be granted "read-only" permissions to limit them to only view and cannot change the web page.
Maintain Global.asa's security
To fully protect the ASP application, you must set NTFS file permissions for the appropriate user or user group on the Global.asa file of the application. If Global.asa contains commands to return information to the browser, you do not protect the global.asa file, the information will be returned to the browser, even if the application's other files are protected.
Note Be sure to apply a unified NTFS permission to the application's file. For example, if you accidentally limit NTFS permissions that need to be included in an application, users may not be able to view or run the application. To prevent such problems, you should carefully plan before you assign NTFS permissions for your application.
Web server permission
You can limit all users to view, run, and proceed for your ASP page by configuring your Web Server. Unlike NTFS permissions, the control specific user is accessible to application files and directories, and web server rights apply to all users, and does not distinguish the type of user account.
For users who want to run your ASP application, you must follow the following principles when setting up a web server permission:
Allow "Read" or "Script" permission to include .asp files.
For the .asp file and other files that include scripts (such as .htm files, etc.) allow "read" and "script" permissions.
Configuring the "Read" and "Execution" permissions for files that contain .asp files and other files that need to be "executed", such as .DLL files.
Script mapping file
The application's script map ensures that the web server does not accidentally download the source code for .asp files. For example, even if you set "read" permissions for a directory containing a .asp file, as long as the .asp file is part of a script map, your web server will not return the source code of the file. Give the user.
Cookie security
ASP uses SessionID cookies to track information about a specific web browser during the application access or session. That is to say, HTTP requests with corresponding cookies are considered to be from the same web browser. The web server can configure an ASP application with user-specific session information using SessionID cookies. For example, if your application is an online music store that allows users to select and purchase CDs, you can use sessionID to track users to roam the entire application.
Can the sessionID be gueled by a hacker?
In order to prevent computer hackers from guessing sessionid cookies and access to the legal user's session variables, the web server assigns a random generated number for each sessionID. Whenever the user's web browser returns a sessionID cookie, the server takes out the sessionID and the number of numbers, and then checks if the generated number stored on the server is consistent. If two numbers are consistent, users will allow users to access session variables. The effectiveness of this technology is that the length (64 bits) of the numbers given, which makes the computer hacker guess sessionid thus to steal the user's activity session may be almost 0. Encrypted sessionid cookie
Intercepted Computer Hackers for User Sessionid Cookie can use this cookie to counter the user. If the ASP application contains private information, credit cards, or bank account numbers, you can start a movable session in your application and get this information. You can prevent sessionid cookies from being intercepted by encrypting communication link between your web server and user browser.
Use authentication mechanism to protect the restricted ASP content
You can ask for each user who tries to access the restricted ASP content must have a username and password for a valid Windows NT account. Whenever the user tries to access the restricted content, the web server will authenticate, that is, confirm the user's identity to check if the user has a valid Windows NT account.
The Web Server supports the following authentication methods:
Basic authentication prompts the user to enter the username and password.
Windows NT Request / Response Authentication Get user identity information from the user's web browser through encryption.
However, the Web server verifies the user's identity only when anonymous access or permission to restrict anonymity access to anonymity.
Protection metabase
The ASP script of the visiting meta database requires administrator privileges of the computer running by the web server. When running these scripts from a remote computer, it must be connected via authentication, such as using a Windows NT request / response verification method. You should create a server or directory for the management level .asp file and set its directory security verification mode to Windows NT request / response authentication. Currently, only Microsoft Internet Explorer 2.0 or higher supports Windows NT request / response authentication.
Use SSL to maintain the security of your application
Secure Sockets Layer (SSL) 3.0 protocol As a Web server security feature, a secure virtual transparent way is provided to establish encrypted communication with users. SSL guarantees the verification of the Web content and reliably confirms the identity of the user who is restricted Web site.
With SSL, you can request a user who tries to access the restricted ASP application to establish an encrypted connection with your server; important information exchanged between users and applications is intercepted.
Maintaining the security of the file
If you contain a file located in a directory that is located in a virtual root directory that is not protected, the SSL will not be applied to the included file. Therefore, in order to ensure the application SSL, it should be ensured that the file containing and included is located in the directory of the SSL.
Customer qualification
Controlling a very secure way to access your ASP application is to require users to log in with customer qualification. Customer qualification is a digital ID that includes user identity information, its role is the same as the traditional identity such as a passport or driver's license. Users typically obtain customer qualifications from the delegated third party organization, and third party organizations confirm the user's identity information before the qualification certificate. (Usually, such organizations require name, address, telephone number, and location of the organization; the detailed level of this type of information is different from the identity level.)
Whenever the user tries to log in to an application that requires qualified application, the user's web browser will automatically send user qualifications to the server. If the SECURE SOCKETS LAYER (SSL) qualification map feature of the web server is configured correctly, the server can confirm the identity of the ASP application accesses on the license user. ASP scripts for processing qualification certificates
As an ASP application developer, you can write scripts to check if there is or read qualification fields. For example, you can access username and company name fields from qualification certificates. Active Server Pages saves qualification information in the ClientCertificate collection of the Request object.
The web server must be configured to accept or require customer qualifications, and then can handle customer qualifications through the ASP; otherwise, the ClientCertificate collection will be empty.