Securing Web Database

Put the database above d:\mywebsite.

Something like:

d:\databases\mywebsite.mdb
"Prabhat" <no*********@hotmail.com> wrote in message
news:O3*************@TK2MSFTNGP15.phx.gbl...

Hi All,

I have a website setup which has MS-Access DB. The web pages are in ASP and uses ADO to connect to DB. The DB is located in the Folder "/Database". I
have the Connection string setup in the Global.asa file.

As my virtual Directory is "/" and all files and folders including the
"Database" folder are with in the folder so any one who knows the Database
folder name and database name can directly download the database from the
website.

The physical Directory for the virtual directory is: -

d:\mywebsite
d:\mywebsite\database
d:\mywebsite\DLLs
d:\mywebsite\images
d:\mywebsite\include
d:\mywebsite\stylesheet
d:\mywebsite\template

How Can I restrict the database to be access directly from web? Please
suggest all alternatives that I can opt for.

Thanks
Prabhat

Prabhat wrote:

How Can I restrict the database to be access directly from web? Please
suggest all alternatives that I can opt for.

The most common, and most effective, solution is to put the database outside
of the wwwroot folder. There is no need to have it in the web folder where
it can be browsed to.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

"David Morgan" <mi*************************@davidmorgan.me.uk> wrote in
message news:%2****************@TK2MSFTNGP12.phx.gbl...

Put the database above d:\mywebsite.

Something like:

d:\databases\mywebsite.mdb

Hi David,

Does that require any security settings in Windows / for windows users? Or
will that work with out any settings?

Thanks
Prabhat

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oe**************@tk2msftngp13.phx.gbl...

Prabhat wrote:

How Can I restrict the database to be access directly from web? Please
suggest all alternatives that I can opt for.

The most common, and most effective, solution is to put the database
outside
of the wwwroot folder. There is no need to have it in the web folder where
it can be browsed to.

OK Thanks for that. But keeping the DB outside the web share folder will
require any user privilage settings?

Thanks
Prabhat

It is most likely that any folder created off the root will have Everyone
Full Access. (This is quite handy when working with Access DBs.)

It should work without any settings. You'll soon know if it works and
security is well documented on http://www.aspfaq.com/

Regards

David
"Prabhat" <no*********@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP15.phx.gbl...

"David Morgan" <mi*************************@davidmorgan.me.uk> wrote in
message news:%2****************@TK2MSFTNGP12.phx.gbl...

Put the database above d:\mywebsite.

Something like:

d:\databases\mywebsite.mdb

Hi David,

Does that require any security settings in Windows / for windows users? Or
will that work with out any settings?

Thanks
Prabhat

"David Morgan" <mi*************************@davidmorgan.me.uk> wrote in
message news:er**************@TK2MSFTNGP09.phx.gbl...

It is most likely that any folder created off the root will have Everyone
Full Access. (This is quite handy when working with Access DBs.)

It should work without any settings. You'll soon know if it works and
security is well documented on http://www.aspfaq.com/

Regards

David

I will do that. Thanks for that info.

Prabhat

Prabhat wrote:

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oe**************@tk2msftngp13.phx.gbl...

Prabhat wrote:

How Can I restrict the database to be access directly from web?
Please suggest all alternatives that I can opt for.

The most common, and most effective, solution is to put the database
outside
of the wwwroot folder. There is no need to have it in the web folder
where it can be browsed to.

OK Thanks for that. But keeping the DB outside the web share folder
will require any user privilage settings?

If using Anonymous, then the IUSR and IWAM accounts will require modify
access to the folder containing the database. otherwise, all users will
require that level of permission.

--
Microsoft MVP -- ASP/ASP.NET
Please reply to the newsgroup. The email account listed in my From
header is my spam trap, so I don't check it very often. You will get a
quicker response by posting to the newsgroup.

I recommend the same as the others, but if you can't do it that way then you
could rename the file something obscure and give it an HTM extension (like
"fh496jfu6.htm"). The browser would (assuming they ever figured the name
out) always try to render it rather than download it and it would of course
fail to display. Your connection string would have to be altered to match
the name and I don't think it will care what the file extension is,..I don't
think it has to be MDB extension to work.

Obviously I don't think that is the best solution, but it might work if that
is all you are able to do. I'll admit that I haven't tested it,...it is
just a brainstorm,...I guess I got bored.

--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/IS...cessRules.html

Microsoft Internet Security & Acceleration Server: Guidance
http://www.microsoft.com/isaserver/t...dance/2004.asp
http://www.microsoft.com/isaserver/t...dance/2000.asp

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.asp
-----------------------------------------------------

"Prabhat" <no*********@hotmail.com> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:Oe**************@tk2msftngp13.phx.gbl...

Prabhat wrote:

How Can I restrict the database to be access directly from web? Please
suggest all alternatives that I can opt for.

The most common, and most effective, solution is to put the database
outside
of the wwwroot folder. There is no need to have it in the web folder where it can be browsed to.

OK Thanks for that. But keeping the DB outside the web share folder will
require any user privilage settings?

Thanks
Prabhat

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:us**************@TK2MSFTNGP09.phx.gbl...

If using Anonymous, then the IUSR and IWAM accounts will require modify
access to the folder containing the database. otherwise, all users will
require that level of permission.

Thanks for that info. My website using Anonymous access so I think I have to
give permissin for both IUSR and IWAM user.

Prabhat

"Phillip Windell" <@.> wrote in message
news:u2*************@TK2MSFTNGP10.phx.gbl...

I recommend the same as the others, but if you can't do it that way then you could rename the file something obscure and give it an HTM extension (like
"fh496jfu6.htm"). The browser would (assuming they ever figured the name
out) always try to render it rather than download it and it would of course fail to display. Your connection string would have to be altered to match
the name and I don't think it will care what the file extension is,..I don't think it has to be MDB extension to work.

Obviously I don't think that is the best solution, but it might work if that is all you are able to do. I'll admit that I haven't tested it,...it is
just a brainstorm,...I guess I got bored.

Good solution, But I have to see if the other extension will work or not.
But as you told this is not the best solution, and as other suggested to
move to other folder avove wwwroot so I will go for that, But still will try
to see if the extension change will work or not.

Thanks
Prabhat

Do you have a directory on your site that is set to not allow IIS to read
from it (cgi-bin directories are usually like this)? If so, put the DB in
there. If not, can you create such a directory (or have your ISP create it)?

--
--Mark Schupp
"Prabhat" <no********@hotmail.com> wrote in message
news:Oa**************@TK2MSFTNGP15.phx.gbl...

"Bob Barrows [MVP]" <re******@NOyahoo.SPAMcom> wrote in message
news:us**************@TK2MSFTNGP09.phx.gbl...

If using Anonymous, then the IUSR and IWAM accounts will require modify
access to the folder containing the database. otherwise, all users will
require that level of permission.

Thanks for that info. My website using Anonymous access so I think I have
to
give permissin for both IUSR and IWAM user.

Prabhat

http://support.cjwsoft.com/code/code...nload+database
"Prabhat" <no*********@hotmail.com> wrote in message
news:O3*************@TK2MSFTNGP15.phx.gbl...

Hi All,

I have a website setup which has MS-Access DB. The web pages are in ASP
and uses ADO to connect to DB. The DB is located in the Folder
"/Database". I have the Connection string setup in the Global.asa file.

As my virtual Directory is "/" and all files and folders including the
"Database" folder are with in the folder so any one who knows the Database
folder name and database name can directly download the database from the
website.

The physical Directory for the virtual directory is: -

d:\mywebsite
d:\mywebsite\database
d:\mywebsite\DLLs
d:\mywebsite\images
d:\mywebsite\include
d:\mywebsite\stylesheet
d:\mywebsite\template

How Can I restrict the database to be access directly from web? Please
suggest all alternatives that I can opt for.

Thanks
Prabhat