1. Play your imagination to modify the database file name
Needless to say, this is the most lazy way, but if the attacker has obtained the path of the database through a third party path), it will finish it. For example, the attacker can only get the List right, and the result is unexpectedly sees the database path, you can go to the database back to study the database. In addition, the data file usually has a large size, and the name of the hidden file is not muted. Therefore, the confidentiality is the lowest.
2. Database name suffix is changed to ASA, ASP, etc.
This approach is in line with some settings to do, otherwise the situation in this article will appear.
(1) Adding binary fields (I have not been refined into -_- this trick).
(2) Add <% or%>, IIS will parse according to the ASP syntax, and then report 500 errors, naturally cannot be downloaded. However, if it is just a simple text or note field to the database, it is useless, because Access will process the content, he will exist in <% in the database! The correct way is to deposit <% in the OLE object field so that our purpose can be reached. & nbs P;
Method:
First, use NotePad to create a new content for a text file, just a name archive.
Next, use Access to open your database file, create a table, just get a name, add a field of an OLE object in the table, then add a record, insert the previously established text file, if the operation is correct, you should be able to see A new record called "packet". I.e.
3. Database name before "#"
Just add the database file before adding a #, then modify the database address in the database connection file (such as Conn.asp). The principle is to identify the reference to the "##, for example, if you want to download: http://www.pcdigest.com/date/# 123.mdb (assumable existence) . Whether IE or Flashget, etc. is http://www.test.com/dat e / index.htm (index.asp, default.jsp, etc. Home documentation) set by IIS)
In addition, some spaces in the database file name also play a similar role. Due to the particularity of the HTTP protocol parsing the address, the space will be encoded as "%", such as http: //www.test.com/date/123; 456 .mdb, HTTP: // www. Test.com/date/123% 456.mdb. And our directory does not have 123% 456.mdb file, and the following is also invalid, even if you expose the database address, others can not download it!
4. Encrypt the database
First, "Tools-> Security-> Encrypted / Decrypting Database, select the database (such as: EMPLOYER.MDB), then then then determine, then" Database Caused Save Save Save "window, save: Employer1.mdb. Employer.mdb will be encoded, then eMployer1.mdb .. It is important to note that the above action is not a password to the database, but only the database file is encoded, the purpose is to prevent others from using another tool to view The content of the database file.
Next we are encrypted for the database, first open the encoded E MPLOYER1.MDB, when opening, select "exclusive" mode. Then select the "Tools -> Security -> Setting Database Password" of the menu, & nbsp; then enter the password. This is even if someone gets the Employer1.mdb file, there is no password. He can't see Emplo Yer1.mdb. To modify the database connection page after encryption, such as:
Conn.open "driver = {Microsoft Access Driver & Nb SP; (*. MDB)}; uid = admin; pwd = database password; DBQ = database path"
After this is modified, even if the database is downloaded, others can't open (provided that the password in your database connection page is not leaked)
However, it is worth noting that because the encryption mechanism of the Access database is relatively simple, even if the password is set, it is easy to decrypt. The database system forms an encrypted string by "distinguishing the user input password" varying or ", and stores it in the * .mdb file from the address" & H42 "start. So a good programmer can easily make a dozen lines of applets to easily get the password for any Access database. Therefore, as long as the database is downloaded, the information is still unknown.
5. Database placed outside the web directory or puts the database connection file in other virtual directories
If your web directory is E: / Webroot, you can put the database into the E: / DATA folder, modify the database connection address in the database connection page in E: / Webroot: "../ DATA / Database name "The form of such a database can be called normally, but it cannot be downloaded because it is not in the web directory! This method is generally not suitable for users who purchase virtual space.
6. Use the ODBC data source.
In ASP and other programming, if there is condition, try to use the ODBC data source, do not write the database name in the program, otherwise, the database name will be lost with the discontinuation of the ASP source code, for example: dbpath = Server.mAppath (" ../123/ abc / asfadf.mdb ")
Conn.open "driver = {Microsoft Access Driver & nb Sp; (*. mdb)}; dbq =" & dbpath
It can be seen that even if the database name is weird, the hidden directory is deep, and the ASP source code is unexpected, it is easy to download. If you use the ODBC data source, there will be no such problem: Conn.open "ODBC-DSN name", but this is more annoying, the directory moves to reset the data source, more convenient way, please see 7, 8 law!
7. Add the database name, such as MDB extension mapping
This method is to implement the IIS settings, suitable for friends with IIS control, is not suitable for purchasing virtual host users (unless the administrator has set). I think it is best now. As long as you modify, the database of the entire site can prevent being downloaded. There is no need to modify the code even if you expose the target address. & n bsp;
We add. Mdb file application analysis in IIS properties - home directory - configuration --- mapping --- application extension. Note that D ll (or EXE, etc.) here seems to be arbitrary, improperly selected, this MDB file can still be downloaded, note that it is best not to select Asp.dll, etc. You can do this to modify itself to download the database, such as: http://www.test.com/data/dvbbs6.mdb. Appeared (404 or 50 0 and other errors)
8: Use the superiority of .NET
The wood bird of the network has written a "WBAL anti-theft chain tool" that prevents illegal download files. Specifically, you can log in http://www.9seek.com / wbal /;
However, that only achieves the ability to prevent non-local downloads, there is no functionality that acts as a real anti-download database. However, this method has not been able to download the .NET file with 5 different fiasses, and can not be downloaded locally!
Among these methods, only seventh and eight are uniformly changed. After a modification configuration, the database of the entire site can prevent downloading, and the other must modify the database name and connection file, more troublesome, but for virtual The host's friends can only be like this!
In fact, the sixth method should be the extension of the fifth method, you can achieve special functions, but for the host that does not support .NET, if you are afraid, use the fifth method, and by default Method, you can still pass the connection to the top of the same host or the message book, then click to download (because such a reference page is from the same host)
9. Use the NTFS partitioned file permission settings (by percyboy)
We already know that ASP.NET uses ADO.NET to access the database, access to Access Database through OLEDB - we are very commonly used in one of the low-end databases. This article discusses a number of error prompts that may see in ASP.NET, see the database files created from the & nb sp; Access 2000 and Access XP, and there is less than an error message when an error occurs. I hope to be helpful. Another point is that you want to pass this article, you have a new understanding of the NTFS permissions of the Access database files in ASP. NET.
(1) Experimental process
To describe convenience, a specific example is made: the application is / TEST, the data inventory is placed in D: / wwwr oot / test / data / db1.mdb, we already know that in ASP.NET is called; ASPNET virtual If the user's identity access to the database, we need to give this account with a specific NTFS permission to make the ASP.NET program running normally.
In order to get the most stringent NTFS permission setting, we will give the program's lowest NTFS permissions when the experiment begins:
a) D: / wwwroot / test / data / folder to the user ASPNET as follows:
Allow rejection
Full control & n bsp; □ & nbsp; □
Modify & nbs P; & nbs P; □ □
Reading and running & nbsp; √ □;
List the folder directory; √ □
Read & NBS P; & NBS P; √ □
Write & nbs P; & nbs P; □ □
b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:
√ Allows the transmission of can inheritance from the parent to this object
1.1 For an ASPX program containing only the "Select" command, the above permissions set the run without obstacles, namely: the above authority has met the operation of such programs. 1.2 For the ASPX program containing commands such as "update" "INSERT" UPDATE ",
(a) If db1.mdb is the database created by Access 2000, the following error appears:
Server errors in the "/ TEST" application.
---------------------------------------
The Microsoft Jet database engine cannot open D: / wwwroot / test / data /. & n BSP; it has been opened by other users, or no access to data.
Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.
Exception Details: System.Data.Oledb.oledBexception: Microsof T Jet Database Engine Cannot On Document D: / Wwwroot / Test / Data /. It has been opened by other users, or no access to data.
(b) If db1.mdb is the database created by Access XP, the following error appears:
Server errors in the "/ TEST" application.
----------------------------------------------
Operation must use an updateable query.
Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.
Abnormal Details: System.Data.Oledb.oledBException: Action must use an updateable query.
(c) Cause Preliminary analysis: Because including "update" "INSERT" "Update", you need to write a write operation on the database file itself, so the above authority cannot meet this requirement, we need to further release permissions.
We let go of some permissions,
a) D: / wwwroot / test / data / folder constant: & nbsp;
b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:
Allow rejection
Full control & n bsp; □ & nbsp; □
Modify & nbs P; & nbs P; □ □
Reading and running & nbsp; √ □;
List the folder directory; √ □
Read & NBS P; & NBS P; √ □
Write & nbs P; & nbs P; √ □
1.3 Continue experimentation after disconnection
(a) If db1.mdb is the database created by Access 2000, the following error appears:
Server errors in the "/ TEST" application.
------------------------------------------
Can't lock the file.
Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.
Abnormal Details: System.Data.Oledb.oledBexception: You cannot lock the file. & nbsp;
(b) If db1.mdb is the database created by Access XP, there is no error.
(c) Cause Preliminary analysis: We found that when opening the Access database, we will generate a * .ldb file in the directory, which is an Access's lock tag. In view of this, we guess that when the user ASPNET accesss the Access database, it is also necessary to generate a lock tag, and the directory does not allow it to write, so an error. As for the database created by Access XP, why not know this error, the reason is not known. We further release permissions,
a) D: / wwwroot / test / data / folder to the user ASPNET as follows:
Allow rejection
Full control & n bsp; □ & nbsp; □
Modify & nbs P; & nbs P; □ □
Reading and running & nbsp; √ □;
List the folder directory; √ □
Read & NBS P; & NBS P; √ □
Write & nbs P; & nbs P; √ □
b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:
√ Allows the transmission of can inheritance from the parent to this object
1.4 Continue experimentation, discovering the error has been resolved, then this permissions are the "minimum authority" we need to release.
(a) If db1.mdb is a database created by Access 2000, we will find a small problem: generated * .ldb files do not delete themselves, the file still exists after access, but this problem does not affect the normal ASP.NET run.
(b) If db1.mdb is the database created by Access XP, there is no similar problem.
(c) Cause Preliminary analysis: We just gave the ASPNET to write the authority of the folder, did not give it the permissions to modify, so once the file was written, it could not modify its content, *. ldb also deleted it.
If you do not solve this problem, further release of permissions is:
a) D: / wwwroot / test / data / folder to the user ASPNET as follows:
Allow rejection
Full control & n bsp; □ & nbsp; □
Modify & nbs P; & nbs P; √ □
Reading and running & nbsp; √ □;
List the folder directory; √ □
Read & NBS P; & NBS P; √ □
Write & nbs P; & nbs P; √ □
b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:
√ Allows the transmission of can inheritance from the parent to this object
1.5 Announced, the experiment: We open db1.mdb on the ACCE SS, and access ASP.NET.
(a) If db1.mdb is the database created by Access 2000, we have found that there is no problem.
(b) If db1.mdb is the database created by Access XP, the following error appears:
Server errors in the / zhao application.
------------------------------------------------
Can't use; files are already in use.
Description: Execute an unprocessed exception during the current web request. Check the stack tracking information to learn more about the error and the code caused in the code.
Abnormal Details: System.Data.Oledb.oledBException: Can't use & nbs p ;; files are already in use.
(c) Cause Preliminary analysis: Access database is a single-user single-threaded database, we are in Access & N BSP; when you open the editing database file, it is actually in the current Windows user (such as Administrator), and the ASP.NET is used by default is ASPNET Virtual Users (belonging to the UserS group), the level is lower than the Administrator, cannot be "robbed" to the Adminis Trator, so there is a conflict error. As for the case of Access 2000 ignore this problem, we don't have to discuss it, it may be that access 2000 does not consider so many factors. & nbsp; 1.6 Reconstruction: Change the attribute of DB1.mdb to "Read", whether it is & nbs P; Access 2000 or Access XP will appear in the same error message as the respective errors in & nbsp; 1.2 respectively .
(2) Experimental conclusion
(1) We first summarize the origin of the NTFS power settings of the Access database file:
Decreasing by default in ASP.NET is accessible with a virtual user called ASPNET & NBSP; You can operate the database - "Management Tool" - "Computer Management" - "User" sees this user, by default:
Full name: ASP.NET Computer Account & NB SP;
Described as: an account for running the ASP.NET & NB SP; auxiliary process (ASPNET_WP.exe).
Belong to: Users group.
With such a user who belongs to the user group to perform file operation, the risk of database operation is to be much smaller than the risk of users with an Administrators group, which is also a consideration of ASP .NET in security.
Since it is such a user who needs access, the database file itself needs, then we need to give it a certain NTFS permission to allow it to access. Obviously there is no NTFS permission license, the ASPNET is not accessible, and the database will appear in the above experiments.
(2) After the above experiment, we already know that the following NTFS permission settings can meet the general needs: & nb sp;
a) D: / wwwroot / test / data / folder to the user ASPNET as follows:
Allow rejection
Full control & n bsp; □ & nbsp; □
Modify & nbs P; & nbs P; □ □
Reading and running & nbsp; √ □;
List the folder directory; √ □
Read & NBS P; & NBS P; √ □
Write & nbs P; & nbs P; √ □
b) D: /wwwroot/test/data/db1.mdb file itself gives the user ASPNET as follows:
√ Allows the transmission of can inheritance from the parent to this object
At the same time, we also noticed whether DB1.mdb has a "read-only" file to ASPNET access.
(3) The above permissions settings can be set directly to the ASPNET user yourself, or it can be set to the USE RS group, or directly to the above-described permissions to the Everyone group. Because the ASPNET is part of the UserS group, you can set permissions to the ASPNET through the user group.
(4) NTFS authority The "Properties" dialog box obtained after the file or folder is right - Set the settings in the Security tab, in general, you can consider it to the Adminitrators group with "full control" permissions, do not easily "Reject" tick, related to & n BSP; NTFS permission settings, you can consult network administrators, network security experts. Note: NTFS permissions are not supported in the partition in the FAT, FAT32 format. & nb sp;
(5) Windows 2000 series, the "Security" tab of the Windows Server 2003 series is easy to find, but the "Security" tab in Windows XP PR Ofessional is off default, you can "Control Panel" - "file The "Advanced Settings" in the "Advanced Settings" in the "Advanced Settings" in the "View" tab, "√" is removed after "OK", and then follow the "security" option again according to the method above. stuck. & nbs P;
===========
In summary, 2, 3, 4 method is used, is to prevent the database from being downloaded the most basic, most effective way, which applies to network management that has jurisdiction over the server, and is suitable for users of virtual hosts, recommended every A maker must use these three methods
If you have jurisdiction over the server, it is recommended to add method 9. The security of your Access database can be greatly improved.
