Is an Access file secure on a web server?

Can someone tell me the most efficient and secure way to ensure that a few
Access MDB files are in as secure a location as possible and still be
accessible to our web server? I'm a bit concerned at having MDB files
stored directly on the web server hard drive, but can't think of any other
solutions outside of going with SQL Server (which is not an option for us).

Any ideas?

Thanks!

[Ray at]

By storing them on the server, they're as safe as any other file on the
server. But, the one thing you must realize that so many people fail to
think about is that if you put your .mdb file in your website area on your
server, people can download it. When you see people post code here like:

<%
ADOObjectVariable.Open Server.MapPath("database.mdb")
'etc. etc.
%>

that means that you could go to that person's site at
[url]http://hissite.com/directory/database.mdb[/url] and download his database.

Ray at work

<spam@merrimac.net> wrote in message
news:uC$xXuKlDHA.688@TK2MSFTNGP10.phx.gbl...

>
> Can someone tell me the most efficient and secure way to ensure that a few
> Access MDB files are in as secure a location as possible and still be
> accessible to our web server? I'm a bit concerned at having MDB files
> stored directly on the web server hard drive, but can't think of any other
> solutions outside of going with SQL Server (which is not an option for

us).

>
> Any ideas?
>
> Thanks!
>
>

[John Beschler]

The most secure way is to place the files in a directory
that is NOT accesible via the web site.

Example:
Assume your website directory is set to:
C:\InetPub\WWWRoot
Then you would put your MDB files someplace outside tht
structure. I.E.
D:\WEBFiles\MyDatabase.MDB
Then in your connection string, you include the path to
the database.

For details on the connection string visit:
[url]http://www.aspfaq.com/show.asp?id=2126[/url]

Remember that you must grant the appropriate rights to the
IUSR account to the directory where the database is
located.

HTH,
John

>-----Original Message-----
>
>Can someone tell me the most efficient and secure way to

ensure that a few

>Access MDB files are in as secure a location as possible

and still be

>accessible to our web server? I'm a bit concerned at

having MDB files

>stored directly on the web server hard drive, but can't

think of any other

>solutions outside of going with SQL Server (which is not

an option for us).

>
>Any ideas?
>
>Thanks!
>
>
>.
>

[Don Grover]

1) Dont put it n a path off your website
2) change mdb ext to some none descript name from .mdb to .112147 or .mmm
it will still work ok
3) If your running an IIS server you most likely are running iis lock down,
add the extension you use the the disallow download list in the ini file.
4) Cover up any db errors reported back to browser as they may show file
name ect...


Regards
Don Grover



<spam@merrimac.net> wrote in message
news:uC$xXuKlDHA.688@TK2MSFTNGP10.phx.gbl...

>
> Can someone tell me the most efficient and secure way to ensure that a few
> Access MDB files are in as secure a location as possible and still be
> accessible to our web server? I'm a bit concerned at having MDB files
> stored directly on the web server hard drive, but can't think of any other
> solutions outside of going with SQL Server (which is not an option for

us).

>
> Any ideas?
>
> Thanks!
>
>

[Aaron Bertrand - MVP]

> 2) change mdb ext to some none descript name from .mdb to .112147 or .mmm

> it will still work ok

..asp would be better; if the user somehow learns your file name, they would
enter [url]http://you/yourMDB.asp[/url] and IIS would try to process it as an ASP file
(and there would be an error message). If you name it .112147 or .mmm,
neither the server nor the browser will know what to do with it, so the user
will be prompted to Open/Save.

[Aaron Bertrand - MVP]

> The most secure way is to place the files in a directory

> that is NOT accesible via the web site.

However, for those on shared hosting, this is pretty much impossible...
unless you like opening a ticket every time you need to work on the database
file itself, or put a new database file up there. I think for many
situations that simply naming the MDB with an .asp extension is a good
compromise between true security and security through obscurity.

[Ray at]

I like to think that many hosts are aware of the security concerns and offer
a solution. My girlfriend has a bunch of websites hosted with
myhosting.com, and they provide a directory within each website to store
files that the customer doesn't want downloaded. If I go to
[url]http://thesite/thisspecialdir/nameofAccessDatabase.mdb[/url], I get a 403.2, Read
access is denied.

So, check with your host to see if they give you a directory with special
permissions for files that you don't want downloaded if you do not have
access to any physical path outside of your "wwwroot."

Ray at work

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:uhtPYILlDHA.1884@TK2MSFTNGP09.phx.gbl...

> However, for those on shared hosting, this is pretty much impossible...
> unless you like opening a ticket every time you need to work on the

database

> file itself, or put a new database file up there. I think for many
> situations that simply naming the MDB with an .asp extension is a good
> compromise between true security and security through obscurity.
>
>

[Aaron Bertrand - MVP]

> I like to think that many hosts are aware of the security concerns and
offer

> a solution. My girlfriend has a bunch of websites hosted with
> myhosting.com, and they provide a directory within each website to store
> files that the customer doesn't want downloaded. If I go to
> [url]http://thesite/thisspecialdir/nameofAccessDatabase.mdb[/url], I get a 403.2,

Read

> access is denied.

Are you saying she has FTP access to "thisspecialdir"? If not, how is she
able to access her own databases? And what kind of teeth does she have to
pull to put new ones up there?

Does she have to bug them to set up a system DSN every time, or do they let
her know the exact local path? A potential problem with using a local path
outside of the web root is updating all of your scripts when the host
decides to put databases etc. in a different folder or on a different
drive... this can often happen inadvertently when they upgrade the box or
move it to a different server.

[Aaron Bertrand - MVP]

> stored directly on the web server hard drive, but can't think of any other

> solutions outside of going with SQL Server (which is not an option for

us).

What about MSDE? Even with a 5 concurrent workload limit and 2GB database
size limitation, it's more secure and more scalable than Access. And it's
free.

[Ray at]

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:uPX5mpLlDHA.3312@tk2msftngp13.phx.gbl...

> > I like to think that many hosts are aware of the security concerns and

> offer

> > a solution. My girlfriend has a bunch of websites hosted with
> > myhosting.com, and they provide a directory within each website to store
> > files that the customer doesn't want downloaded. If I go to
> > [url]http://thesite/thisspecialdir/nameofAccessDatabase.mdb[/url], I get a 403.2,

> Read

> > access is denied.

>
> Are you saying she has FTP access to "thisspecialdir"? If not, how is she
> able to access her own databases? And what kind of teeth does she have to
> pull to put new ones up there?

Yes, ftp access just like any other dir.

>
> Does she have to bug them to set up a system DSN every time, or do they

let

> her know the exact local path?

They let their clients know the exact path. It's nice.

> A potential problem with using a local path
> outside of the web root is updating all of your scripts when the host
> decides to put databases etc. in a different folder or on a different
> drive... this can often happen inadvertently when they upgrade the box or
> move it to a different server.
>

Yes, but that can usually be taken care of in a few seconds with a
find/replace or just redefining a global constant. So, I guess it's still
better than having someone be able to download your database. :]

Ray at work

[Tom B]

Brinkster does the same thing.
The users ftp to the site, or use the web interface they provide, to
manipulate the database.
They also provide a sample connection string that uses...
Server.MapPath("\UserName\db\dbname.mdb")


"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:%23W3hYvLlDHA.1728@TK2MSFTNGP11.phx.gbl...

>
> "Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
> news:uPX5mpLlDHA.3312@tk2msftngp13.phx.gbl...

> > > I like to think that many hosts are aware of the security concerns and

> > offer

> > > a solution. My girlfriend has a bunch of websites hosted with
> > > myhosting.com, and they provide a directory within each website to

store

> > > files that the customer doesn't want downloaded. If I go to
> > > [url]http://thesite/thisspecialdir/nameofAccessDatabase.mdb[/url], I get a 403.2,

> > Read

> > > access is denied.

> >
> > Are you saying she has FTP access to "thisspecialdir"? If not, how is

she

> > able to access her own databases? And what kind of teeth does she have

to

> > pull to put new ones up there?

>
> Yes, ftp access just like any other dir.
>

> >
> > Does she have to bug them to set up a system DSN every time, or do they

> let

> > her know the exact local path?

>
> They let their clients know the exact path. It's nice.
>

> > A potential problem with using a local path
> > outside of the web root is updating all of your scripts when the host
> > decides to put databases etc. in a different folder or on a different
> > drive... this can often happen inadvertently when they upgrade the box

or

> > move it to a different server.
> >

>
> Yes, but that can usually be taken care of in a few seconds with a
> find/replace or just redefining a global constant. So, I guess it's still
> better than having someone be able to download your database. :]
>
> Ray at work
>
>

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:%23oHY0rLlDHA.2676@TK2MSFTNGP11.phx.gbl...

> > stored directly on the web server hard drive, but can't think of any

other

> > solutions outside of going with SQL Server (which is not an option for

> us).
>
> What about MSDE? Even with a 5 concurrent workload limit and 2GB database
> size limitation, it's more secure and more scalable than Access. And it's
> free.

My understanding of MSDE was that it wasn't licensed for commercial use
outside of a development environment. I do have a copy of MSDE from the Vis
Basic 6 Pro software we purchased and I just never looked at it for that
reason. So do you mean it's OK to use on a commercial website? That would
change everything...

By the way, thanks to everyone for the great ideas. The MDB files are
currently NOT in the wwwroot path as you've all suggested. My concern is
people gaining remote access to the website and having access to all of the
files physically stored on the web server--the MDB files are the only
sensitive information anyway. Any other file would be fine as long as it
doesn't permit access to them.

Thanks again

Philip

[Aaron Bertrand - MVP]

> Yes, but that can usually be taken care of in a few seconds with a

> find/replace or just redefining a global constant. So, I guess it's still
> better than having someone be able to download your database. :]

Well, renaming to *.asp instead of *.mdb also gives you this ability,
without having to have a "nice" host...

A

[Aaron Bertrand - MVP]

> My understanding of MSDE was that it wasn't licensed for commercial use

> outside of a development environment.

That's incorrect. The licensing restrictions are on how you distribute it
(centered around what application you bought to gain the rights to
redistribute), not on how it's used. With a grain of salt, of course; I am
not a lawyer, and I have only read the EULA... I claim no legal prowess in
interpreting them correctly.

> currently NOT in the wwwroot path as you've all suggested. My concern is
> people gaining remote access to the website and having access to all of

the

> files physically stored on the web server

That's a different problem altogether, and not one which could be solved
through ASP. If they have physical access to the ASP files, they have
access to whatever database you're using also (since they can find your
connection string). Even if the connection string is compiled into a DLL,
they can either get it by hooking up profiler, or by simply writing another
ASP page using the same connection string retrieval...

A

[Ray at]

I think you just like to argue. ;] In doing that, the data is still not
all that secure. You can view source and recognize data. Damn it! All I'm
saying is check with the host to see if they have a solution, and if not,
then do the .asp thing.

Ray at work

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message
news:uWdfdNMlDHA.708@TK2MSFTNGP10.phx.gbl...

>
> Well, renaming to *.asp instead of *.mdb also gives you this ability,
> without having to have a "nice" host...
>
> A
>
>

Ehn!! You can't view the source on the client because no data will actually
be sent from the server. It should just be an error message.

Philip

"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:OBqbIXMlDHA.2200@TK2MSFTNGP12.phx.gbl...

> I think you just like to argue. ;] In doing that, the data is still not
> all that secure. You can view source and recognize data. Damn it! All

I'm

> saying is check with the host to see if they have a solution, and if not,
> then do the .asp thing.
>
> Ray at work
>

[Ray at]

Not on my server. What's Ehn?

Ray at work

<spam@merrimac.net> wrote in message
news:eZ8s$qNlDHA.2424@TK2MSFTNGP10.phx.gbl...

> Ehn!! You can't view the source on the client because no data will

actually

> be sent from the server. It should just be an error message.
>
> Philip
>
> "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
> news:OBqbIXMlDHA.2200@TK2MSFTNGP12.phx.gbl...

> > I think you just like to argue. ;] In doing that, the data is still

not

> > all that secure. You can view source and recognize data. Damn it! All

> I'm

> > saying is check with the host to see if they have a solution, and if

not,

> > then do the .asp thing.
> >
> > Ray at work
> >

>
>

[Tom B]

Your right, my server returned it as well.

"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:eZZGL1NlDHA.1084@tk2msftngp13.phx.gbl...

> Not on my server. What's Ehn?
>
> Ray at work
>
> <spam@merrimac.net> wrote in message
> news:eZ8s$qNlDHA.2424@TK2MSFTNGP10.phx.gbl...

> > Ehn!! You can't view the source on the client because no data will

> actually

> > be sent from the server. It should just be an error message.
> >
> > Philip
> >
> > "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
> > news:OBqbIXMlDHA.2200@TK2MSFTNGP12.phx.gbl...

> > > I think you just like to argue. ;] In doing that, the data is still

> not

> > > all that secure. You can view source and recognize data. Damn it!

All

> > I'm

> > > saying is check with the host to see if they have a solution, and if

> not,

> > > then do the .asp thing.
> > >
> > > Ray at work
> > >

> >
> >

>
>

[Tom B]

It gets better, I made a link to the file
<a href="ehn.asp">Test</a> on another page, and do a Right-click save as
"ehn.mdb" and open the database again!


"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:eZZGL1NlDHA.1084@tk2msftngp13.phx.gbl...

> Not on my server. What's Ehn?
>
> Ray at work
>
> <spam@merrimac.net> wrote in message
> news:eZ8s$qNlDHA.2424@TK2MSFTNGP10.phx.gbl...

> > Ehn!! You can't view the source on the client because no data will

> actually

> > be sent from the server. It should just be an error message.
> >
> > Philip
> >
> > "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
> > news:OBqbIXMlDHA.2200@TK2MSFTNGP12.phx.gbl...

> > > I think you just like to argue. ;] In doing that, the data is still

> not

> > > all that secure. You can view source and recognize data. Damn it!

All

> > I'm

> > > saying is check with the host to see if they have a solution, and if

> not,

> > > then do the .asp thing.
> > >
> > > Ray at work
> > >

> >
> >

>
>

[Ray at]

Whoah! I was doing a view source and trying to save it in notepad with a
..mdb extension (tried all encoding types) but Access didn't recognize it.
But I just did what you said, and yeah, sure enough, there's the database.
Eeegs!

Ray at work



"Tom B" <shuckle@hotmail.com> wrote in message
news:u4lk87NlDHA.2528@TK2MSFTNGP10.phx.gbl...

> It gets better, I made a link to the file
> <a href="ehn.asp">Test</a> on another page, and do a Right-click save as
> "ehn.mdb" and open the database again!
>
>
> "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
> news:eZZGL1NlDHA.1084@tk2msftngp13.phx.gbl...

> > Not on my server. What's Ehn?
> >
> > Ray at work
> >