Secured ASP web site

[Ed Jaffe]

All:

1) Could any one show me any website which is using asp, ssl, sql server?
2) Is ASP/IIS technology good enough to create a commerical secured internet
web application?
3) People said most of the secured internet web application (e.g.
banking...) is using java, is that true?

Simon

[Ray at]

"Ed Jaffe" <edjaffe1000@yahoo.com> wrote in message
news:O0E2IDqkDHA.2404@TK2MSFTNGP12.phx.gbl...

> All:
>
> 1) Could any one show me any website which is using asp, ssl, sql server?

[url]http://www.microsoft.com/sql/evaluation/casestudies/solutions.asp[/url]

> 2) Is ASP/IIS technology good enough to create a commerical secured

internet

> web application?

Sure, as long as long as everyone involved in developing and maintaining the
site, the server, and all else involved remains security-conscious.

> 3) People said most of the secured internet web application (e.g.
> banking...) is using java, is that true?

I'm a programmer at a bank. Our website has no Java anything anywhere. Our
online applications are normal ASP pages in https.

As far as our Web banking system, we did not develop it ourselves. But it
is hosted in NT machines and uses Cold Fusion. The database is DB/2 on an
AS/400.

Ray at home

[Ed Jaffe]

"Ray at <%=sLocation%>" <myfirstname at lane 34 . komm> wrote in message
news:eXidvqqkDHA.2592@TK2MSFTNGP10.phx.gbl...

>
> "Ed Jaffe" <edjaffe1000@yahoo.com> wrote in message
> news:O0E2IDqkDHA.2404@TK2MSFTNGP12.phx.gbl...

> > All:
> >
> > 1) Could any one show me any website which is using asp, ssl, sql

server?

>
> [url]http://www.microsoft.com/sql/evaluation/casestudies/solutions.asp[/url]

>>>
>>> What a great resource!
>>>

>

> > 2) Is ASP/IIS technology good enough to create a commerical secured

> internet

> > web application?

>
> Sure, as long as long as everyone involved in developing and maintaining

the

> site, the server, and all else involved remains security-conscious.
>

> > 3) People said most of the secured internet web application (e.g.
> > banking...) is using java, is that true?

>
> I'm a programmer at a bank. Our website has no Java anything anywhere.

Our

> online applications are normal ASP pages in https.
>
> As far as our Web banking system, we did not develop it ourselves. But it
> is hosted in NT machines and uses Cold Fusion. The database is DB/2 on an
> AS/400.
>

>>>
>>> Ray, I would like to develope an internet applcation by using ASP/IIS

technology.

>>> I am not familiar with isapi or .Net. And I don't want to use NT

Security "only" because

>>> it takes a lot of resource to maintain the accounts. My real concern is

how to

>>> do the login process. I am afraid that if the web-site is using only

the anonymous

>>> account and have a plain table(User with diff levels) to direct the

secured pages access,

>>> it will be easy for hacker to break it!!!!
>>> Any comment is appreciated.
>>> Thanks again your sql server url.
>>>
>>> Ed

> Ray at home
>
>

[Ray at]

"Ed Jaffe" <edjaffe1000@yahoo.com> wrote in message
news:OhU2hWzkDHA.3732@tk2msftngp13.phx.gbl...

>> >
> >>>
> >>> Ray, I would like to develope an internet applcation by using ASP/IIS

> technology.

> >>> I am not familiar with isapi or .Net. And I don't want to use NT

> Security "only" because

> >>> it takes a lot of resource to maintain the accounts.

Tru dat. ;]

>>>>>>>>>> My real concern is

> how to

> >>> do the login process. I am afraid that if the web-site is using only

> the anonymous

> >>> account and have a plain table(User with diff levels) to direct the

> secured pages access,

> >>> it will be easy for hacker to break it!!!!

How? I think that 99% of the sites out there use login credentials that are
stored in a database. This is normal. Like everything, you have to balance
security with functionality. Like, if you think that someone is going to
sit there on your login page all day trying to get lucky entering usernames
and passwords, you can add something to your site to track the number of
invalid logins by IP and then deny access to the page from that IP. You can
also mandate password complexity from your users.

For me, as an end user, all I need is a username and password to get into
web banking. From there, I can transfer money, send money to other people
via checks, close accounts, whatever. The only thing protecting me is my
password. This is normal though.

Just don't do anything foolish like use an Access database and put it in
your website where people can download it. And don't let people use blank
passwords. And make people change their passwords. And physical security
of the server is also important.

Ray at work

[Ed Jaffe]

Ray, one last question I want to clarify regarding the "credentials that are
stored in a database"
statement. Will you take advantage of the Users, Roles and Rules features in
SQL Servers "or"
use a plain table have fields to store the user name, password (encrypted)
and associated info
(for diff. security levels). The reason why I ask because when you first
make the "connection"
to your DBMS through the "ADODB.Connection" object within the ASP page, you
have
to pass the "User ID" and "Password" info. Are you going to use a "global"
user
account, e.g. sa, to do the connection and then query/validate the user
based on the passed
UserID and Password against the plain table? Or each user has their "own"
UserID/Password
when you do the ADODB.Connection. I am new to this area hope someone can
give me
more detail on this particular topic.

Thank you for your valuable help anyway.

Ed.

"Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
news:u3lZny0kDHA.2592@TK2MSFTNGP10.phx.gbl...

>
> "Ed Jaffe" <edjaffe1000@yahoo.com> wrote in message
> news:OhU2hWzkDHA.3732@tk2msftngp13.phx.gbl...

> >> >
> > >>>
> > >>> Ray, I would like to develope an internet applcation by using

ASP/IIS

> > technology.

> > >>> I am not familiar with isapi or .Net. And I don't want to use NT

> > Security "only" because

> > >>> it takes a lot of resource to maintain the accounts.

>
> Tru dat. ;]
>

> >>>>>>>>>> My real concern is

> > how to

> > >>> do the login process. I am afraid that if the web-site is using

only

> > the anonymous

> > >>> account and have a plain table(User with diff levels) to direct the

> > secured pages access,

> > >>> it will be easy for hacker to break it!!!!

>
> How? I think that 99% of the sites out there use login credentials that

are

> stored in a database. This is normal. Like everything, you have to

balance

> security with functionality. Like, if you think that someone is going to
> sit there on your login page all day trying to get lucky entering

usernames

> and passwords, you can add something to your site to track the number of
> invalid logins by IP and then deny access to the page from that IP. You

can

> also mandate password complexity from your users.
>
> For me, as an end user, all I need is a username and password to get into
> web banking. From there, I can transfer money, send money to other people
> via checks, close accounts, whatever. The only thing protecting me is my
> password. This is normal though.
>
> Just don't do anything foolish like use an Access database and put it in
> your website where people can download it. And don't let people use blank
> passwords. And make people change their passwords. And physical security
> of the server is also important.
>
> Ray at work
>
>

[Ray at]

I personally would use the same sql login for all connections. The user
logins would just be data in a table as you suggested with the passwords in
the table. And as far as permissions in the application, that would be data
stored in the db too. I believe this is the norm. A table may look
something like this:


Userid smallint
Username varchar(20)
Password varchar(20) ''or longer if you encrypt with many characters
AuthorityLevel tinyint
PasswordLastChange datetime
'etc.

Ray at work


"Ed Jaffe" <edjaffe1000@yahoo.com.invalid> wrote in message
news:%232lUQy1kDHA.392@TK2MSFTNGP11.phx.gbl...

> Ray, one last question I want to clarify regarding the "credentials that

are

> stored in a database"
> statement. Will you take advantage of the Users, Roles and Rules features

in

> SQL Servers "or"
> use a plain table have fields to store the user name, password (encrypted)
> and associated info
> (for diff. security levels). The reason why I ask because when you first
> make the "connection"
> to your DBMS through the "ADODB.Connection" object within the ASP page,

you

> have
> to pass the "User ID" and "Password" info. Are you going to use a

"global"

> user
> account, e.g. sa, to do the connection and then query/validate the user
> based on the passed
> UserID and Password against the plain table? Or each user has their "own"
> UserID/Password
> when you do the ADODB.Connection. I am new to this area hope someone can
> give me
> more detail on this particular topic.
>
> Thank you for your valuable help anyway.
>
> Ed.
>