Hiding ASP source code

There are obfuscation tools out there that you can purchase. Another option
is to simply refactor code so ASP contains UI elements only and the rest of
the code is in VB COM component (ActiveX DLLs). The only code that shows up
is something like:

<%
Response.Write(vbObject.GetSecretStuff())
%>

A very serious hacker might still decompile the VB, but it would be a
concerted effort, as there are no decompilers for the more modern VB
implementations.

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************
Think Outside the Box!
************************************************
"Les Juby" <we****@webpro.co.za> wrote in message
news:40**************@news.uunet.co.za...

I have a customer with an extensive intranet which contains a lot of
sensitive company data. The client is concerned that any employee
could download source code back to removable storage and thereby steal
the data.

Printing is considered publicly risky and other capture methods of
visble screens would be too clumsy and outside the capability of most.

So we have been asked to make the source "invisible" or at least
extremely difficult to reveal.

Any suggestions please...?

TIA

.les.
o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
Les Juby le*****@anti-spam.iafrica.com
Webpro Internet - - - Prosoft Microsystems
Durban, KwaZulu-Natal, South Africa
P.O.Box 35243, Northway 4065, South Africa
Tel: +27 31 563-8344 Fax: +27 31 564-4928
o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
(you *do* know to take "anti-spam" out the address....?

"Les Juby" <we****@webpro.co.za> wrote in message
news:40**************@news.uunet.co.za...

I have a customer with an extensive intranet which contains a lot of
sensitive company data. The client is concerned that any employee
could download source code back to removable storage and thereby steal
the data.

Printing is considered publicly risky and other capture methods of
visble screens would be too clumsy and outside the capability of most.

So we have been asked to make the source "invisible" or at least
extremely difficult to reveal.

Any suggestions please...?

In addition to what Greg said, proper NTFS permissions on the ASP files will
also protect the source code.

--
Tom Kaminski IIS MVP
http://www.microsoft.com/windowsserv...y/centers/iis/
http://mvp.support.microsoft.com/
http://www.iisfaq.com/
http://www.iistoolshed.com/ - tools, scripts, and utilities for running IIS
http://www.tryiis.com

On Thu, 15 Jul 2004 06:08:42 GMT, we****@webpro.co.za (Les Juby)
wrote:

I have a customer with an extensive intranet which contains a lot of
sensitive company data. The client is concerned that any employee
could download source code back to removable storage and thereby steal
the data.

Printing is considered publicly risky and other capture methods of
visble screens would be too clumsy and outside the capability of most.

So we have been asked to make the source "invisible" or at least
extremely difficult to reveal.

Any suggestions please...?

I'd be surprised if the actual ASP source had any sensitive data, more
likely it's material the ASP is grabbing from somewhere, so hiding the
source may not actually result in your goals.

That said, ASP source isn't "downloadable" if you have a properly set
up and secured server. ASP is processed by the server, so if you lock
the ASP files to only the account used for the intranet and only allow
access through the server, the source would never show.

Of course, since you mention porinting and screen capture, you may not
even be really talking about ASP source code anyway, you may be
talking about the final result displayed in the browser. And that's
something you can't "hide" since you've already sent it to the client
for display.

I'd suggest evaluating the overall security of data and information in
your organization, and arriving at a process to protect it as needed.
Strip searches by armed guards may be required if you happen to work
for the CIA... :)

Jeff

And for a low-tech solution to making code less readable:

PCbit
http://www.pcbit.com
Advanced HTML Optimizer
Can remove white space in HTML and ASP files.

Best regards,
J. Paul Schmidt, Classic ASP Web Designer
http://www.Bullschmidt.com
Classic ASP Design Tips, ASP Web Database Demo, ASP Bar Chart Tool...
*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

Uuuuh, this sounds good, but I'm completely unfamiliar with what you
are proposing. But it sounds the way to go.

Would the "rest of the code" you refer to be the original pages as
they are at present.?

Is there any reference you could please refer me to that might have
simple step-by-step instructions on what is needed here.?

Thanks, all, for the help....

(Hey, aren't we polite down here in Africa!)

.les.

On Thu, 15 Jul 2004 08:02:42 -0500, "Cowboy \(Gregory A. Beamer\)
[MVP]" <No************@comcast.netNoSpamM> wrote:

There are obfuscation tools out there that you can purchase. Another option
is to simply refactor code so ASP contains UI elements only and the rest of
the code is in VB COM component (ActiveX DLLs). The only code that shows up
is something like:

<%
Response.Write(vbObject.GetSecretStuff())
%>

A very serious hacker might still decompile the VB, but it would be a
concerted effort, as there are no decompilers for the more modern VB
implementations.

o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
Les Juby le*****@anti-spam.iafrica.com
Webpro Internet - - - Prosoft Microsystems
Durban, KwaZulu-Natal, South Africa
P.O.Box 35243, Northway 4065, South Africa
Tel: +27 31 563-8344 Fax: +27 31 564-4928
o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
(you *do* know to take "anti-spam" out the address....?

we****@webpro.co.za (Les Juby) wrote in message news:<40**************@news.uunet.co.za>...

I have a customer with an extensive intranet which contains a lot of
sensitive company data. The client is concerned that any employee
could download source code back to removable storage and thereby steal
the data.

Printing is considered publicly risky and other capture methods of
visble screens would be too clumsy and outside the capability of most.

So we have been asked to make the source "invisible" or at least
extremely difficult to reveal.

Any suggestions please...?

There is a product called ASP Lightning which will take each ASP page
you have, and convert/compile it into a DLL. It then rewrites the ASP
you have with just a call to the DLL.

http://www.infomentum.com/ASPLightning/

I used this product on a trial basis sometime last year when I thought
that we were going to have to hide the code, but it turned out the
deal fell through. They were quite helpful in putting out a new
version when I discovered a bug in their product.

Let me bring it down a notch as I am normally so ingrained in architecture
that I am flying way above the clouds.

The suggestion is to refactor, which is pull the code into VB COM
components. To do this, you have to create methods for your code. For
example, let's say you have the following code in your ASP.

connString = "{connection string for database here}"
sqlString = "SELECT * FROM SecretAuthorsTable"

Set objConn = New ADODB.Connection(connString)
Set objCmd == New ADODB.Command(sqlString, conn)
Set objRS = cmd.Execute()

'Work with RS here

To hide the database code, you would do the following:

1. Move the code to a function in a VB COM component by creating an ActiveX
DLL. Let's say we make DataLayer.dll with a class file called SecretData.
The function in the class would look something like so

Public Function GetSecretAuthorData() As ADODB.Recordset

Dim connString As String
Dim sqlString As String
Dim objConn As ADODB.Connection
Dim objCmd As ADODB.Command
Dim objRS As ADODB.Recordset

connString = "{connection string for database here}"
sqlString = "SELECT * FROM SecretAuthorsTable"

Set objConn = New ADODB.Connection(connString)
Set objCmd == New ADODB.Command(sqlString, conn)
Set objRS = cmd.Execute()

GetSecretAuthorData = objRS

End Function

2. Call the object from ASP

Set objSD = New DataLayer.SecretData()

Set objRS = objSD.GetSecretAuthorData()

NOTE: Not an optimal example, but the idea is sound. Now, a hacker for your
ASP app only learns about an object rather than actually getting the
connection string information and a sql query to start mining with.

NOTE: You can protect the implementation even more by hiding the connection
string in the registry, but that is a more complex bit of work. Or by
encrypting the strings, et al.

I will check and see if I can find a good URL. The MS Book Designing for
Scalability Using Microsoft Windows DNA is great for understanding
distributed applications using ASP and VB COM. You can pick up up extremely
cheap these days (75 cents US)

Designing for Scalability with Microsoft Windows DNA
by Per Sundblad, Sten Sundblad
Paperback: 450 pages ; Dimensions (in inches): 1.28 x 9.19 x 7.37
Publisher: Microsoft Press; 1 edition (March 15, 2000)
ASIN: 0735609683

http://www.amazon.com/exec/obidos/tg...glance&s=books

--
Gregory A. Beamer
MVP; MCP: +I, SE, SD, DBA

************************************************
Think Outside the Box!
************************************************
"Les Juby" <we****@webpro.co.za> wrote in message
news:40**************@news.uunet.co.za...

Uuuuh, this sounds good, but I'm completely unfamiliar with what you
are proposing. But it sounds the way to go.

Would the "rest of the code" you refer to be the original pages as
they are at present.?

Is there any reference you could please refer me to that might have
simple step-by-step instructions on what is needed here.?

Thanks, all, for the help....

(Hey, aren't we polite down here in Africa!)

.les.

On Thu, 15 Jul 2004 08:02:42 -0500, "Cowboy \(Gregory A. Beamer\)
[MVP]" <No************@comcast.netNoSpamM> wrote:

There are obfuscation tools out there that you can purchase. Another optionis to simply refactor code so ASP contains UI elements only and the rest ofthe code is in VB COM component (ActiveX DLLs). The only code that shows upis something like:

<%
Response.Write(vbObject.GetSecretStuff())
%>

A very serious hacker might still decompile the VB, but it would be a
concerted effort, as there are no decompilers for the more modern VB
implementations.

o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
Les Juby le*****@anti-spam.iafrica.com
Webpro Internet - - - Prosoft Microsystems
Durban, KwaZulu-Natal, South Africa
P.O.Box 35243, Northway 4065, South Africa
Tel: +27 31 563-8344 Fax: +27 31 564-4928
o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
(you *do* know to take "anti-spam" out the address....?