Solved

Password displayed in global.asa

Posted on 2002-06-12
25
645 Views
Last Modified: 2012-05-04
Dear experts:

   I found difficulty in dealing with my customers. They keep asking "why" and request for "prove" to them.

   Now I have one problem that I can't get the answer for my customer. The question is: Why the database password (RuntimePassword) will displayed in global.asa?

Please help me to find the prove. Thank you.
0
Comment
Question by:Crystion
  • 5
  • 5
  • 5
  • +6
25 Comments
 

Expert Comment

by:derjim929
ID: 7074687
You don't need to hardcode your database connection userid and password anywhere in your ASP. You can use the following connection string to use the current account logon to the server to connect to SQL Server:

stcon= "Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=biblio;Data Source=ServerName"

or to an Access Database:
stcon = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\biblio.mdb;Persist Security Info=False"

Notice how it doesn't have any userid or password on the connection string. You don't need to supply the userid and password parameter when you pass this connection string to the open method of the connection object.

conn.open stcon

0
 

Expert Comment

by:derjim929
ID: 7074692
The text is usually hidden in global.asa unless your network admin enable the 'browse folder' option, where visitors can download the global.asa file and get the contents.

0
 
LVL 20

Expert Comment

by:Silvers5
ID: 7074727
hmm a workaround for this is to create on the web server an odbc dsn and from global.asa include only the dsn as the connection string..
or you can develop a COM+ component to store the connection string or better access the database from it..
as said the administrator should tighten security on the files(by default they are) so no one can see the connection string. and if someone saw it then he'll see the business logic and might be able to play around with your site workflow.. anyways.. ASP.NET resolves these issue radically..

regards
0
 
LVL 12

Expert Comment

by:Wouter Boevink
ID: 7075030
Maybe if you create a user account on the database and use that one for your connection, the customer maybe more reassured.

0
 
LVL 12

Expert Comment

by:Wouter Boevink
ID: 7075032
Or encrypt your global.asa file using the Microsoft Script Encoder. This will make the whole global.asa file unreadable.

Make sure you have a copy because you can't decode it.
0
 
LVL 28

Expert Comment

by:sybe
ID: 7075071
make sure that on IIS only "script" or "execute" is checked for the directory where the global.asa resides. Then it can never be downloaded.
You can only use ".asp" pages then in that directory (no .html, no images), but you can put those in a sub directory and check the "read"-flag (and uncheck the "execute" and "script" flag).
It is generally the best to have (sub-) directories be just "read" or "script", not both.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 7075386
The password is not "displayed" in global.asa.

Unless your web server is very poorly protected (e.g. severely changed from the default state), no one is able to see the global.asa, or any asp code for that matter.

Your customers can be completely calm about the contents of global.asa. It is supposed to hold this kind of information, so it's even better protected than the rest of the asp code. I believe that it would be easier to actually get into the database itself, than to get the password from the global.asa file.

We use this all of the time. I'd guess we have about 30 public websites running on our servers, with the database passwords in the global.asa.
0
 

Expert Comment

by:derjim929
ID: 7076834
I'm not really sure about hard coding passwords anywhere on the webapp (ASP pages, global.asa, DSN, dll, etc.). This doesn't comply with best practices. As your customer and as you, I'll be worried about this approach because:

1) You can accidentally share your codes to the public. You just need to make a simple change (one checkbox) on the default setting to show the entire contents of a webfolder where Internet Users can download your global.asa and ASP files. Also, there are a lot of vulnerabilities in IIS and a lot of this involves the ability to download your files.

2) Even if you make sure that nobody from the internet or intranet can download your global.asa or asp pages, you may not want other people who have access to the server's directory structure (other admins, webdesigners) to know the userid and password to the database server.

3) You don't want to manage passwords on your global.asa, ASP file or even DLL (Com Component). Imagine having to make changes on your codes (especially your Com Component) when you change the password because somebody in the network admin team left the company.

Using DSN still saves the userid and password on the server. I usually use a dll to do the database connections. Thanks to MTS or Com+ Administration, I can always assign an account for the dll that it can use to connect to my database (usually SQL Server). It seems that you are using ASP pages to connect directly to the internet. I do this sometimes when I don't get enough time to create components and compile it to DLLs. Because of this, I usually have a special account logon to the server (instead of the usual Administrator account), that I can use to connect to the database. (see previous comments I posted on how to do this.)
0
 
LVL 11

Expert Comment

by:mouatts
ID: 7077099
To actually get at the global.asa requires you to disassociate the asp.ddl with the server. Then and only then will the global.asa be downloaded as text to the client. Even if you had no default documents in the directory and turned directory browsing on you still couldn't get at it whilst the ASP.DDL is still involved.
So it takes a bit more than just changing one check box.

If you want to prove the point to the client type the url in complete with global.asa at the end and see what they get.

To ensure that no one downloads the database it should outside the directory structure of the webserver so if your site is at d:\site\www your database should be stored in d:\site\data. In this way if there are prying eyes on the inside that you want to hide the database from the just restrict access to this directory so they can't see it. After all the thing you are actually trying to protect is the database.

Frankly anyone worried about storage in the global.asa is expressing there lack of knowledge more than anything else.

Steve
0
 
LVL 5

Expert Comment

by:dgorin
ID: 7077190
global.asa doesn't download even if directory browsing is enabled.  The only way a client can get to your global.asa is if you have a severely mis-configured web server.

You can't just put global.asa in any old directory.  It needs to be in the root of your web application.

You can easily undecode asp that's encoded with the script encoder.  I'm not sure if global.asa will function properly if encoded, never tried, but encoding asp isn't much protection.
0
 
LVL 29

Accepted Solution

by:
Göran Andersson earned 50 total points
ID: 7078155
Even if you would be so unfortunate to open up your server enough for anyone to be able to browse to your global.asa file, it's still executed by IIS. As it contains no html code at all, it will only show up as a blank page anyway.

The only way to read the asp code in global.asa, is to get the file via the file system, e.g. using ftp, or connecting to the servers file system using netbios. If someone manages that, there surely are more interesting tagets than global.asa...

For someone to get the information in global.asa, your server would have to be pathetically insecure...
and with your concerned customers, I bet it's far from that. ;)
0
 

Expert Comment

by:derjim929
ID: 7078609
If your webapp is using a userid and password to connect to a database chances are the database backend could be a SQL Server, Oracle, DB2, etc. In this case, you swore your life to the DBA that you are not leaving the userid and password written on a notepad in your office nor saved in any file in the network. Even if its an Access database using workgroup security, the fact that somebody took time and effort to provide this user level security on an Access database means that the owner of the database don't want to make the data available to just anyone who can get to the MDB file.

I take back part of my comment saying its easy to share your global.asa code to the internet. I should have tested that myself, but I came from an environment that believes in best practices so I never had to worry about this.

But the fact remains that its still available for other network admins or webdesigners through the server's file or FTP service. This becomes a problem on a big shop where most of the people specializes on different things and you try to enforce a need-to-know basis policy (especially userid and passwords) to protect your clients data. This won't be much of a problem for a small shop where the developer, the webdesigner, IIS admin, database administrator and systems engineer is the same person.

By the way, global.asa was designed to run routines for the start and end events of the application and session objects. Although its convenient, it wasn't specifically designed to hold userid and passwords.

It has been emphasized so much by a lot of experts in seminars and books about ASP programming that putting database userids and passwords on the ASP page or global.asa should be avoided. I don't remember any encouragements to do otherwise. Your client may have heard this on a seminar or have read it in a book somewhere.

This is not a 'how-to' or 'is-it-possible' question, but a good development and security practice question. And it all boils down to the beneifts of convenience vs. best practices. Clients are usually concerned if you have done everything to make their data as safe as possible from other people (regular internet users, hackers, viruses or even Jane from your Accounting Dept.) and you still make their unreasonable deadline.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 11

Expert Comment

by:mouatts
ID: 7078838
Err actually global.asa is specifically designed and intended to hold global data (hence its name). That is global to the application and global to the session, that is why it has start and end routines to allow initialsation of the data.

I have checked all my books and can find not one who suggests anything about where to store the password (in fact most seem to hardcode it into the connection string).

Simple fact of life is that if you have a password, for use by a program then somewhere it is going be entered into a file, be it data, program source file or registry.

If you are really worried about someone hacking your FTP and downloading it then you place the username and password in an asp file and place it in a directory outside of the path of the server. This directory has suitable security turned on. When you need the username and password you include the file using the file= syntax.

This way it is impossible for anyone to get to the file via the web or via the ftp server.

Yes sure system admin can get to it. But you do have to trust someone. If you approach security on the basis that no one can be trusted you are getting in to the realms or paranoia and normally when that happens people get hung up on tiny details and forget the big picture.

I agree I have never heard anyone encourage placing passowrd in global.asas but on the other hand I've never heard them say to the contrary. I have just checked all my books on the subject and no mention is made either way (in fact most put the password within the connection string!).

So far as best practice is concerned it is better as ,I suggested earlier to hide the door (database) than the key (password) after all if someone manages to steal your database it will take only a few  minutes to crack the password, but if its your key that is stolen, the person is no better off.

Steve
0
 
LVL 12

Expert Comment

by:Wouter Boevink
ID: 7078890
Encrypting is the only way to hide the password.

encrypt your global.asa file using the Microsoft Script Encoder. This will make the whole global.asa
file unreadable.

Make sure you have a copy because you can't decode it.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 7079000
Anyone getting that deja vu feeling?
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 7079018
wboevink, I think we covered that already, and dgorin said: "You can easily undecode asp that's encoded with the script encoder".

Also, it's not the only way to hide the password. In a DSN or a windows account, the password can't be read.

---

When creating a data connection in InterDev, it places the connection string in global.asa. That gives you a hint on where the makers of the system expects it to be...

---

How you should protect the password really boils down to whom you need to protect it from.

If you want to protect it from outside users, it's just fine in global.asa. If someone gets as far as that, the database password is certainly not your biggest concern...

If you want to protect it from inside users, it gets harder. You should put the password in a DSN or a component. Also, you have to make sure that the user account you are using is the only account that has access to the database - there is no use to protect your password if they can use their own.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 7079026
...hm, but I must say that the word "undecode" is new to me... ;)
0
 
LVL 11

Expert Comment

by:mouatts
ID: 7079056
Really...greenghost you'll be telling us next that you have never unre-enabled or redisconnected something next ;)
0
 
LVL 5

Expert Comment

by:dgorin
ID: 7079565
undecode?  What the heck was I thinking? :)

(Daniel Webster, are you listening?)

0
 

Expert Comment

by:megatshamsul
ID: 7086470
dear derjim929;

i created already by selecting sql server, then windows authentication when i create the database connection. but, i got the following error:

Microsoft OLE DB Provider for SQL Server (0x80040E09)
SELECT permission denied on object 'Server_Mast', database 'INTRANET_DB', owner 'dbo'.

my question: is the database looking for iusr_myMachine or administrator <which i login as>

thanks.
0
 

Expert Comment

by:megatshamsul
ID: 7086841
dear wboevink,

tried already with Microsoft Script Encoder and i got the following error:

Active Server Pages, ASP 0137 (0x80004005)
Script blocks must be one of the allowed Global.asa procedures. Script directives within <% ... %> are not allowed within the Global.asa file. The allowed procedure names are Application_OnStart, Application_OnEnd, Session_OnStart, or Session_OnEnd.
/intranet/global.asa, line 1

but, it works for file .asp

why?

thanks in advance.
0
 
LVL 11

Expert Comment

by:mouatts
ID: 7087981
because you global.asa has <% in it as it said.
Your first line should be

<SCRIPT LANGUAGE="VBSCRIPT" RUNAT=SERVER>

and the last line

</SCRIPT>

Steve
0
 

Expert Comment

by:derjim929
ID: 7097558
If you are getting the 'select permission denied error' in SQL server, that means you are already hitting the database with the right userid and password.

You just need to give the userid the rights to read and write to all the database tables by adding them to the db_datareader and db_datawriter roles inside your database (or even the dbo_role if you wish). Or you can specifically assign access to your SQL Server objects (TABLE,VIEWS,STORED PROCEDURES, etc), by right clicking on the object in the Enterprise Manager, select [all tasks] > [assign permissions]. This will list all the users added to the database and you can specify different permissions for each users.

If you use the OLEDB Connection String I gave to instantiate an OLEDB connection on an ASP script, I believe it will use the iusr_%myMachine% account configured with your webapp.

Good luck.
0
 
LVL 29

Expert Comment

by:Göran Andersson
ID: 7097585
derjim929, it looks like that one really ended up in the wrong question...
0
 
LVL 4

Expert Comment

by:Wakie
ID: 9211363
It appears this question has been abandoned.

I will leave a recommendation in the Cleanup topic area that this question will be:

- Points to GreenGhost -

Please leave any comments here within the next seven days.

DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Wakie,
EE Cleanup Volunteer.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
ASP VB... 7 93
Round to 2 decimal places 2 36
ASP Syntax for IF statement 21 51
Can not run ASP pages Windows 10 Edge browser. 5 60
I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
This demonstration started out as a follow up to some recently posted questions on the subject of logging in: http://www.experts-exchange.com/Programming/Languages/Scripting/JavaScript/Q_28634665.html and http://www.experts-exchange.com/Programming/…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now