Securing MDBs

[busabus]

I've got a webserver, IIS6, and an ASP application running on that
server. The ASP validates users by their logon name so for this
particular folder IIS is set up with Integrated Windows
Authentication. The problem is then I have to give all Users
Read/Write permissions to the database file, so if some cunning
individual could work out the path to the database they would be able
to change any record they pleased.

Is there a better way of setting up the security?

I've tried giving IUSR full access to the MDB file and enabling
anonymous access to it in IIS, but this didn't work, it still says I
don't have permission to access the file, I guess because the ASP is
running as me?

Many thanks in advance.

[William Tasso]

busabus wrote:

> ...so if some cunning
> individual could work out the path to the database they would be able
> to change any record they pleased.
>
> Is there a better way of setting up the security?
>

Stash the mdb outside your www space.

--
William Tasso - [url]http://WilliamTasso.com[/url]

[Don Grover]

Rename the *.mdb to *.sdfksdkjh it will still work, also install urlscan
(ms) and as William said stash it outside webfolders.
Don


"busabus" <drwhiting@hotmail.com> wrote in message
news:358e222f.0312020223.25cbca32@posting.google.c om...

> I've got a webserver, IIS6, and an ASP application running on that
> server. The ASP validates users by their logon name so for this
> particular folder IIS is set up with Integrated Windows
> Authentication. The problem is then I have to give all Users
> Read/Write permissions to the database file, so if some cunning
> individual could work out the path to the database they would be able
> to change any record they pleased.
>
> Is there a better way of setting up the security?
>
> I've tried giving IUSR full access to the MDB file and enabling
> anonymous access to it in IIS, but this didn't work, it still says I
> don't have permission to access the file, I guess because the ASP is
> running as me?
>
> Many thanks in advance.

[Jeff Cochran]

On 2 Dec 2003 02:23:29 -0800, [email]drwhiting@hotmail.com[/email] (busabus) wrote:

>I've got a webserver, IIS6, and an ASP application running on that
>server. The ASP validates users by their logon name so for this
>particular folder IIS is set up with Integrated Windows
>Authentication. The problem is then I have to give all Users
>Read/Write permissions to the database file, so if some cunning
>individual could work out the path to the database they would be able
>to change any record they pleased.
>
>Is there a better way of setting up the security?

1) Never give permissions to more than needed. In the case of an
Access database, the Anonymous user account for anonymous access, or
the logged in user for authenticated access. You need MODIFY control
for the MDB file and the folder it is located in (creation of lock
file) for the specific users involved. Use a group for this purpose.

2) Place the MDB file outside the web folder heirachy and it can't be
directly accessed by a web browser.

3) If you use URLScan, block requests for the MDB extension. The MDB
file itself never needs to be requested.

4) Rename the MDB file with a different extension. This *can* be
problematic depending on how you manage it.

5) Use a database other than Access that provides for better
security.

>I've tried giving IUSR full access to the MDB file and enabling
>anonymous access to it in IIS, but this didn't work, it still says I
>don't have permission to access the file, I guess because the ASP is
>running as me?

No, it's because you're using Windows Authentication, and the
authenticated user needs access.

Jeff

[Aaron Bertrand - MVP]

[url]http://www.aspfaq.com/2454[/url]

--
Aaron Bertrand
SQL Server MVP
[url]http://www.aspfaq.com/[/url]




"busabus" <drwhiting@hotmail.com> wrote in message
news:358e222f.0312020223.25cbca32@posting.google.c om...

> I've got a webserver, IIS6, and an ASP application running on that
> server. The ASP validates users by their logon name so for this
> particular folder IIS is set up with Integrated Windows
> Authentication. The problem is then I have to give all Users
> Read/Write permissions to the database file, so if some cunning
> individual could work out the path to the database they would be able
> to change any record they pleased.
>
> Is there a better way of setting up the security?
>
> I've tried giving IUSR full access to the MDB file and enabling
> anonymous access to it in IIS, but this didn't work, it still says I
> don't have permission to access the file, I guess because the ASP is
> running as me?
>
> Many thanks in advance.

[busabus]

Thanks for all the advice, I guess the 'move it out of the website'
one is the best. Because it's an internal server I was thinking they
could just UNC to it if it was anywhere on the server... but then they
shouldn't have share access should they! Man, that MCSE was worth
every penny...

Thanks again.

"Aaron Bertrand - MVP" <aaron@TRASHaspfaq.com> wrote in message news:<OW4eOWOuDHA.2060@TK2MSFTNGP10.phx.gbl>...

> [url]http://www.aspfaq.com/2454[/url]
>
> --
> Aaron Bertrand
> SQL Server MVP
> [url]http://www.aspfaq.com/[/url]
>
>
>
>
> "busabus" <drwhiting@hotmail.com> wrote in message
> news:358e222f.0312020223.25cbca32@posting.google.c om...

> > I've got a webserver, IIS6, and an ASP application running on that
> > server. The ASP validates users by their logon name so for this
> > particular folder IIS is set up with Integrated Windows
> > Authentication. The problem is then I have to give all Users
> > Read/Write permissions to the database file, so if some cunning
> > individual could work out the path to the database they would be able
> > to change any record they pleased.
> >
> > Is there a better way of setting up the security?
> >
> > I've tried giving IUSR full access to the MDB file and enabling
> > anonymous access to it in IIS, but this didn't work, it still says I
> > don't have permission to access the file, I guess because the ASP is
> > running as me?
> >
> > Many thanks in advance.