Where to store access database

[Dave B.]

Using ASP and an access database for password access to a site, where is the
best place to store the database to keep it from prying eyes, the _private
folder? How safe is it there?

 

[Kevin Spencer]

Open your web site in Internet Explorer, and then try to type in a URL of a
file in the _Private folder. That's how safe it is.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

 

[P@tty Ayers]

Using ASP and an access database for password access to a site, where is
the best place to store the database to keep it from prying eyes, the
_private folder? How safe is it there?

Not too safe, as Kevin pointed out. I recently had an Access database
hacked, and one of the things I was told to do was to at least make the name
of the directory and the name of the database hard to guess. In other words,
not:

database/database.mdb

but rather something much more obscure.

 

[Tom Willett]

The best place for a database is outside the web root. Using a folder
outside the web root will make it difficult for anyone to download your
database and gain access to your username and password. Otherwise you must
set the permissions on your database folder so that your database cannot be
downloaded.

 

[Swabbie]

I just used what one suggested by typing the path in to reach my Access
database and when I get to the actual database I get "Server Error in '/'
Application This type of page is not served. Description: The type of page
you have requested is not served because it has been explicitly forbidden.
The extension '.mdb' may be incorrect. Please review the URL below and
make sure that it is spelled correctly. " Does this mean I have the
permissions set correctly to prevent access to my database?

The best place for a database is outside the web root. Using a folder
outside the web root will make it difficult for anyone to download your
database and gain access to your username and password. Otherwise you must
set the permissions on your database folder so that your database cannot
be downloaded.

 

[Swabbie]

What is the best way to keep all of your website from being able to be
accessed without permission? It does me no good to password protect my site
if I can do something like type in the path and see it anyway.

The best place for a database is outside the web root. Using a folder
outside the web root will make it difficult for anyone to download your
database and gain access to your username and password. Otherwise you must
set the permissions on your database folder so that your database cannot
be downloaded.

 

[Stefan B Rusynko]

If it is outside of your web root, you can't type a URL

--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


| What is the best way to keep all of your website from being able to be
| accessed without permission? It does me no good to password protect my site
| if I can do something like type in the path and see it anyway.
|
| | > The best place for a database is outside the web root. Using a folder
| > outside the web root will make it difficult for anyone to download your
| > database and gain access to your username and password. Otherwise you must
| > set the permissions on your database folder so that your database cannot
| > be downloaded.
| > --
| > Tom Willett
| > Microsoft MVP - FrontPage
| > FrontPage Support: http://www.frontpagemvps.com/
| > ----------
| > | >>
| >> | >>> Using ASP and an access database for password access to a site, where is
| >>> the best place to store the database to keep it from prying eyes, the
| >>> _private folder? How safe is it there?
| >>
| >> Not too safe, as Kevin pointed out. I recently had an Access database
| >> hacked, and one of the things I was told to do was to at least make the
| >> name of the directory and the name of the database hard to guess. In
| >> other words, not:
| >>
| >> database/database.mdb
| >>
| >> but rather something much more obscure.
| >>
| >>
| >> --
| >> Patty Ayers | www.WebDevBiz.com
| >> Free Articles on the Business of Web Development
| >> Web Design Contract, Estimate Request Form, Estimate Worksheet
| >> --
| >>
| >>
| >
| >
|
|

 

[Clark]

is the fpdb folder not adequately secure also? If a hacker guessed
the database name could she get to it?

 

[P@tty Ayers]

Tom, my host company tells me that a folder above the web root is no safer
from hackers than one within the web root. Both are still accessible.


--
Patty Ayers | www.WebDevBiz.com
Free Articles on the Business of Web Development
Web Design Contract, Estimate Request Form, Estimate Worksheet
--

The best place for a database is outside the web root. Using a folder
outside the web root will make it difficult for anyone to download your
database and gain access to your username and password. Otherwise you must
set the permissions on your database folder so that your database cannot
be downloaded.

 

[Steve Easton]

If you can access the _private folder from a browser, there is a problem with permissions.


--
Steve Easton
Microsoft MVP FrontPage
FP Cleaner
http://www.95isalive.com/fixes/fpclean.htm
Hit Me FP
http://www.95isalive.com/fixes/HitMeFP.htm

 

[Kevin Spencer]

Yes, that's exactly what it means. The folder is prevented from browsing, or
having any files requested from it.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

I just used what one suggested by typing the path in to reach my Access
database and when I get to the actual database I get "Server Error in '/'
Application This type of page is not served. Description: The type of page
you have requested is not served because it has been explicitly forbidden.
The extension '.mdb' may be incorrect. Please review the URL below and
make sure that it is spelled correctly. " Does this mean I have the
permissions set correctly to prevent access to my database?

 

[Kevin Spencer]

If you can access the _private folder from a browser, there is a problem

with permissions.

That's why I told him to check it. Depending upon how you set it up, the
_Private folder may or may not be protected. In his case, it is set up
correctly.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

 

[Kevin Spencer]

It's all a matter of what you mean by "safe." A server machine is just a
computer, like any other. It is connected to the Internet, which means that
it can send and receive network traffic. What is accessible to whom via what
methods and/or network protocols and ports is all a matter of permissions.
These can be handled by a firewall, local or domain file and directory
permissions, or by an individual process, such as the IIS web services. IIS
is the listener for HTTP requests, and maintains its own set of permissions
regarding what resources it will serve via HTTP.

This means that if the IIS permissions are set right, nobody except the
authors and administrators of a web site should be able to download files in
protected folders, such as the _Private folder. HOWEVER, this does not mean
that such resources are *absolutely* protected. They are on the same machine
as the rest of the server software. This means that they may or may not be
accessible remotely via some other protocol, or even locally from the same
machine.

So, the bottom line is, how safe is safe enough? How can you ensure that
your data is secure? Short answer - you can't. At some point an element of
trust enters the equation. Do you trust your hosting service to know what
they are doing? Long answer - If you're running a web site, web server
permissions are probably all you need to know about. However, if that site
is accessible via FTP, those permissions should be checked as well. Beyond
that, you would have to ask all the right questions of your hosting
service - or trust them.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

Tom, my host company tells me that a folder above the web root is no safer
from hackers than one within the web root. Both are still accessible.

 

[Stefan B Rusynko]

No it is not adequately secure

--

_____________________________________________
SBR @ ENJOY (-: [ Microsoft MVP - FrontPage ]
"Warning - Using the F1 Key will not break anything!" (-;
To find the best Newsgroup for FrontPage support see:
http://www.frontpagemvps.com/FrontPageNewsGroups/tabid/53/Default.aspx
_____________________________________________


| is the fpdb folder not adequately secure also? If a hacker guessed
| the database name could she get to it?
|
| On Thu, 6 Jul 2006 04:30:01 -0400, "Stefan B Rusynko"
|
| >If it is outside of your web root, you can't type a URL
|

 

[shikha]

Hi,

When i tried to put my login.mdb under _private folder, I got the error,

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] '(unknown)' is not a valid path.
Make sure that the path name is spelled correctly and that you are connected
to the server on which the file resides.

/districtcal/database1_interface/Results/login_db.asp, line 171

Any ideas why?

 

[Kevin Spencer]

Apparently, the path to the database is wrong in your Connection String.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

Hi,

When i tried to put my login.mdb under _private folder, I got the error,

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC Microsoft Access Driver] '(unknown)' is not a valid path.
Make sure that the path name is spelled correctly and that you are
connected
to the server on which the file resides.

/districtcal/database1_interface/Results/login_db.asp, line 171

Any ideas why?

It's all a matter of what you mean by "safe." A server machine is just a
computer, like any other. It is connected to the Internet, which means
that
it can send and receive network traffic. What is accessible to whom via
what
methods and/or network protocols and ports is all a matter of
permissions.
These can be handled by a firewall, local or domain file and directory
permissions, or by an individual process, such as the IIS web services.
IIS
is the listener for HTTP requests, and maintains its own set of
permissions
regarding what resources it will serve via HTTP.

This means that if the IIS permissions are set right, nobody except the
authors and administrators of a web site should be able to download files
in
protected folders, such as the _Private folder. HOWEVER, this does not
mean
that such resources are *absolutely* protected. They are on the same
machine
as the rest of the server software. This means that they may or may not
be
accessible remotely via some other protocol, or even locally from the
same
machine.

So, the bottom line is, how safe is safe enough? How can you ensure that
your data is secure? Short answer - you can't. At some point an element
of
trust enters the equation. Do you trust your hosting service to know what
they are doing? Long answer - If you're running a web site, web server
permissions are probably all you need to know about. However, if that
site
is accessible via FTP, those permissions should be checked as well.
Beyond
that, you would have to ask all the right questions of your hosting
service - or trust them.

--
HTH,

Kevin Spencer
Microsoft MVP
Professional Chicken Salad Alchemist

Big thicks are made up of lots of little thins.

 

[Dave B.]

Thanks for all the info guys, sounds like creating a folder with an abscure
name and removing browsing rights is the way to go.

 

[Thomas A. Rowe]

If the database is stored outside of the web root, and a System DSN is used, then no page within
your web site would contain the actual path to the database.

If the actual server is hacked, then it wouldn't matter, as the hacker would have complete access to
everything anyway.

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================

Tom, my host company tells me that a folder above the web root is no safer from hackers than one
within the web root. Both are still accessible.

 

[Thomas A. Rowe]

However the fpdb folder by default has the correct permissions to protect the database (as long as
the web host has installed and configured the extensions correctly).

--
==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
==============================================
If you feel your current issue is a results of installing
a Service Pack or security update, please contact
Microsoft Product Support Services:
http://support.microsoft.com
If the problem can be shown to have been caused by a
security update, then there is usually no charge for the call.
==============================================