The first language: It turns out that MDB can prevent the download is a ghost. Persons: Yesterday and Animator tried, rename the Data.mdb file to the data.asp file in the wwwroot directory. After entering the Data.asp path in IE, I've discovered that IE showed a blank, right button -> inspection of the source file, jumped out of the notepad, saving the content as a .mdb file, open with Access, and find a password, that is, at least the file header destroyed. Then use the flashget test to download the Data.asp file, and save it as a Data.mdb file, find that it is intact with Access to open! ! ! It seems that some programmers believe that when developing, it is wrong to prevent the MDB suffix to prevent download. The background database is downloaded for an ASP Access website. It is undoubtedly a tragic disaster. Today, I found some of the articles, and I'm summarizing the following 9 ways to prevent the database from being downloaded (welcome to supplement): 1. Play your imagination to modify the database file name Needless to say, this is the most lazy method, but if an attacker After obtaining the path of the database through a third party approach), it is finished. For example, the attacker can only get the List right, and the result is unexpectedly sees the database path, you can go to the database back to study the database. In addition, the data file usually has a large size, and the name of the hidden file is not muted. Therefore, the confidentiality is the lowest. 2. Database name suffix is changed to ASA, ASP, etc. This method can be combined with some settings, otherwise it will appear in this article (1) binary field added (this trick I have not been refined into -_- )) . (2) Add <% or%>, IIS will parse according to the ASP syntax, and then report 500 errors, naturally cannot be downloaded. However, if it is just a simple text or note field to the database, it is useless, because Access will process the content, he will exist in <% in the database! The correct way is to deposit <% in the OLE object field so that our purpose can be reached. Method: First, use NotePad to create a new content of <% text file, just a name archive. Next, use Access to open your database file, create a table, just get a name, add a field of an OLE object in the table, then add a record, insert the previously established text file, if the operation is correct, you should be able to see A new record called "packet". That is, 3. Database name before "#" only needs to add the database file before the #, then modify the database address in the database connection file (such as Conn.asp). The principle is to identify the previously named section of the ##, for example, if you want to download: http://www.pcdigest.com/date/#123.mdb (if you exist). Whether IE or Flashget, etc. is http://www.test.com/date/index.htm (index.asp ,default.jsp etc. Home documentation in IIS settings) is also retained in the database file name Some spaces also play a similar role. Due to the particularity of the HTTP protocol on the address resolution, space will be encoded as "%", such as http://www.test.com/date/123; 456.mdb, download time HTTP : //www.test.com/date/123% 456.mdb.
And our directory does not have 123% 456.mdb file, so download is also invalid, even if you expose the database address, it is generally unable to download it! 4. Encrypting the Database First Picking the Tool -> Security -> Encryption / Decryption Database, select the database (such as: EMPLOYER.MDB), then then then determine, then the "Database Caused Save Save As" window, save: Employer1 .mdb. The employer.mdb will be encoded, then save it as employer1.mdb .. It is important to note that the above action is not a password to the database, but only the database file is encoded, the purpose is to prevent others from using others The tool is to view the content of the database file. Next we are encrypted for the database, first open the encoded Employer1.mdb, select "exclusive" mode. Then select the "Tools" Tools -> settings of the menu -> Settings Database password ", then enter the password. This is even if someone gets the Employer1.mdb file, there is no password. He can't see Employer1.mdb. Encryption To modify the database connection page, such as: conn.open" driver = {Microsoft Access driver (* .mdb)}; uid = admin; pwd = database password; DBQ = database path "After modification, even if people have been downloaded, others can not open (provided that the password in your database connection page is not It is noted that because the encryption mechanism of the Access database is relatively simple, even if the password is set, it is easy to decrypt. The database system is "different or" distinguished or "in a certain fixed key by turning the user. A encrypted string and stores it in the * .mdb file from the address "& H42" starting area. So a good programmer can easily make a dozens of lines that can easily get the password for any Access database. Therefore, as long as the database is downloaded, the information security is still an unknown. 5. Database is placed outside of the web directory or puts the database connection file in other virtual directories such as your web directory is E: / Webroot, you can put the database into E : / Data, in this folder, modify the database connection address in the database connection page in E: / Webroot, which is in the form of "../ DATA / Database name", so that the database can be called normally, but cannot download because it Not in the web directory! This method is generally not suitable for users who purchase virtual space. 6. Use ODBC data sources. In ASP, if there is condition, try to use ODBC data source, do not write the database name in the program , Otherwise, the database name will be disabled with the loss of the ASP source code, for example: dbpath = server.mappath ("../ 123 / abc / as Fadf.mdb ") Conn.open" Driver = {Microsoft Access Driver (* .mdb)}; dbq = "& dbpath, even if the database name is weird, the hidden directory is deeper, the ASP source code is lost, It is easy to download.
If you use the ODBC data source, there will be no such problem: Conn.open "ODBC-DSN name", but this is more annoying, the directory moves to reset the data source, more convenient way, please see 7, 8 law! 7. Adding a database name, such as MDB, MDB, is implemented by modifying IIS settings, suitable for friends with IIS control, is not suitable for purchasing virtual host users (unless the administrator has set). I think it is best now. As long as you modify, the database of the entire site can prevent being downloaded. There is no need to modify the code even if you expose the target address. We add. Mdb file application analysis in IIS properties - home directory - configuration --- mapping --- application extension. Note that the selected DLL (or EXE et al.) Seems to be not arbitrary, improperly selected, this MDB file can still be downloaded, note that it is best not to choose ASP.DLL. You can do this to modify itself to download the database, such as: http://www.test.com/data/dvbbs6.mdb. Appears (404 or 500 errors) 8: Write a "WBAL Anti-theft Tool" that prevents illegal download files using .NET. Specifically, you can log in to http://www.9seek.com/wbal/; but that only achieves the ability to prevent non-local downloads, there is no functionality that acts as a real anti-download database. However, this method has been almost different from 5 laws to achieve local files, and it cannot be downloaded locally! Among these methods, only seventh and eight are uniformly changed. After a modification configuration, the database of the entire site can prevent downloading, and the other must modify the database name and connection file, more troublesome, but for virtual The host's friends can only be like this! In fact, the sixth method should be the extension of the fifth method, you can achieve special functions, but for the host that does not support .NET, if you are afraid, use the fifth method, and by default Method, you can still pass the copy to the host's forum or message book, and then click to download (because such a reference page is from the host) 9. Using the NTFS partition file permission setting (by percyboy) Knowing that ASP.NET accesss the database using ADO.NET to access the Access Database through OLEDB-connected connections - one of our very common low databases. This article discusses a number of error prompts that may see in ASP.NET, see the database files created from Access 2000 and Access XP, and there is less than an error message when an error occurs. I hope to be helpful. Another point is that you want to pass this article, you have a new understanding of NTFS permissions for ASP.NET in ASP.NET. (1) The experiment process is convenient to describe, and gives a specific example to do an experiment: the application is / test, the data inventory is placed in D: / wwwroot/test/data/db1.mdb, we already know in the ASP.NET in one If you call the ASPNET virtual user, we need to give this account with a specific NTFS permission to make the ASP.NET program running normally.
In order to get the most stringent NTFS permission setting, we give the minimum NTFS permissions at the beginning of the experiment: a) D: / wwwroot / test / data / folder to the user ASPNET with the following permissions: Allow Refuse to complete control □ □ Modify □ □ □ □ □ □ Reading and running √ □ listing folder Directory √ □ Read √ □ Write □ □ b) D: /wwwroot/test/data/db1.mdb file itself gives user ASPNET to the following permissions: √ Allow from the parent Inheritance propagation to this object 1.1 For an ASPX program containing only the "Select" command, the above permissions set the run without barrier, that is, the above authority has met the operation of such programs. 1.2 For an ASPX program containing commands such as "update" "INSERT" UPDATE ", (a) If db1.mdb is the database created by Access 2000, the following error:" / Test "application server error. --------------------------------------- Microsoft Jet Database Engine can't open file 'D: / wwwroot / test / data / '. It has been opened by other users, or no access to data. Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBException: Microsoft Jet Database Engine does not open file 'D: / wwwroot / test / data /'. It has been opened by other users, or no access to data. (B) If db1.mdb is the database created by Access XP, the following error appears: "/ test" server error. ---------------------------------------------- Operation must use one Update query. Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBException: Action must use an updateable query. (C) Cause Preliminary analysis: Because including "Update" "INSERT" "UPDATE", you need to write a write operation on the database file itself, so the above permissions cannot meet this requirement, and we need to further release permissions.
We release some privileges, a) d: / wwwroot / test / data / folder constant: b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET to the following permissions: Allow refusal to complete control □ □ Modify □ □ Read and Run √ □ List Folder Directory √ □ Read √ □ Write √ □ 1.3 Release Experiment After release permissions, (a) If db1.mdb is the database created by Access 2000, the following error occurred : "/ Test" server error in the application. ------------------------------------------ Can't lock the file. Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBexception: You cannot lock the file. (B) If db1.mdb is the database created by Access XP, there is no error. (C) Cause Preliminary analysis: We found that when opening the Access database, we will generate a * .ldb file in the directory, which is an Access's lock tag. In view of this, when we guess, when the user ASPNET accesss the Access database, it is also necessary to generate a lock tag, and the directory does not allow it to write, so an error. As for the database created by Access XP, why not know this error, the reason is not known. We further release the permissions, a) D: / wwwroot / test / data / folder gives the user ASPNET to the following permissions: Allow the full control □ □ Modify □ □ Read and Run √ □ List Folder Directory √ □ Read √ □ Write √ □ b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET to the following permissions: √ Allow the propagation of the inheritance rights from the parent to the object 1.4 to continue the experiment, discovery errors have been resolved Then, this permissions are the "minimum authority" we need to release. (a) If db1.mdb is a database created by Access 2000, we will find a small problem: generated * .ldb files do not delete themselves, the file still exists after access, but this problem does not affect the normal ASP.NET run. (B) If db1.mdb is the database created by Access XP, there is no similar problem. (C) Cause Preliminary analysis: We just gave the ASPNET to write the authority of the folder, did not give it the permissions to modify, so once the file was written, it could not modify its content, *. Ldb also deleted it.
If you do not solve this problem, further release of permissions is: a) D: / wwwroot / test / data / folder to the user ASPNET with the following permissions: Allow Refuse to complete control □ □ Modify √ □ Read and run √ □ list Folder Directory √ □ Read √ □ Write √ □ B) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET to the following permissions: √ Allow the transfer of can inheritance from the parent to the object 1.5 Attached, the experiment is another situation: We open db1.mdb on Access, and access ASP.NET. (A) If db1.mdb is the database created by Access 2000, we have found that there is no problem. (B) If db1.mdb is the database created by Access XP, the following error: "/ zhao" application in the server error. ------------------------------------------------ can not be used ''; The file is already in use. Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code. Abnormal Details: System.Data.Oledb.oledBexception: You cannot use ''; files are already in use. (c) Cause Preliminary analysis: Access database is a single-user single-threaded database. When we open an edit database file in Access, it is actually in the current Windows user (such as Administrator), and ASP.NET uses ASPNET virtual User (belonging to the user group), the level is lower than the Administrator, cannot be "robbed", so there is a conflict error. As for the case of Access 2000 Ignore this problem, we don't have to discuss it, it may be that access 2000 does not consider so many factors. 1.6 Reconstruction: Change the attribute of DB1.mdb to "Read", whether it is Access 2000 or Access XP will appear the same error prompts as the respective errors in 1.2. (2) Experiment Conclusion (1) We first summarize the origin of the NTFS permission settings of the Access database file: in the ASP.NET, the default is to access the identity of the virtual user called ASPNET, the database, you can " Control Panel - "Management Tool" - "Computer Management" - "Local User and Group" - "User" See this user, by default: full name: ASP.NET Computer Account Description: Used to run ASP The account of the .NET assisted process (ASPNET_WP.EXE). Belong to: Users group. With such a user who belongs to the User group to perform file operations, the risk of database operation is much smaller than the risk of users with an Administrators group, which is also a consideration of ASP.NET in security. Since it is such a user who needs access, the database file itself needs, then we need to give it a certain NTFS permission to allow it to access.
