how to make it secure?

[njzone]

Hi all!

i've done plenty of ASP programming but never tried COM and ActiveX. i heard it is secure. can anyone tell me how can i make my ASP application secure? DLL files will hide my codes but i also want to protect people from copying the DLL files and running my apps. so basically my question is how to prevent ppl from copying my ASP files.

thanks.

[alex_read]

To lock down your sites, there's a couple of tips I can guide you with...

1) Use Dll's for your data code & call these from your asp pages - never talk to a file or databasse from your asp page itself.

2) A lot of attacks on websites come from querystrings, if you are paranoid, you can validate what's after that question mark when your asp page is called on.

3) The second big one is SQL statements - if you've got a form with a textbox which when submitted is logged to a database, hackers often use SQL statments in the textboxes which excecute as soon as they are passed to the server.

4) Get all the updates from Ms for your system - any security patches which come out are always worth downloading.

5) If you use IIS, you might want to look at the user accounts you site uses, what paths these have access to & what rights to the file this web user has. Right click your website in IIS & look at all the tabs under the properties option.

[njzone]

thanks for tips, alex. let me give more details on what i have in mind. perhaps you can give me more ideas.

i'm developing an app which is not meant to be online. it'll just run on localhost. i'm using ASP and SQL Server. i'm concerned about people copying (they will have physical access to the server) my ASP files and re-creating the same environment on their servers. i was told that if i used DLL files it'd make it very difficult, if not impossible.

what do you suggest?

[alex_read]

I'd agree that if you use Dll files & have all the latest security patches, you'd need to be a top hacker to break in & grab this - nothing is 100% totally secure, but this way is getting close to 90%.

i'm developing an app which is not meant to be online.

they will have physical access to the server.

You're actually confusing me a little here! but I think I can grasp what your saying.

I'd suggest a login page to your site incase anyone stumbles across it on the server (i.e. with some IIS setups, if you type the servername into a browser such as "http://mylocalpcname/" it can list all sites on your system, so even though it's not meant to be online and probably won't be found, write a logon screen anyway.

With the physical access bit, you could setup an NT logon & set permissions on the folder to only be used by 1 user. You can setup your website to use this new NT account via IIS & get it to use a specific password to look in the folder so you can access it, and at the same time, this would prevent anyone logging into your server with a blank floppy disk labelled "pinched dll files for website copy" from looking at the folder.

Don't ask me how to do this one, I know it's possible, and again it's to do with the IIS properties of the site, but you'd need to look this up on MSDN as I've never donw this one.