Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security, best-practice question 1

Status
Not open for further replies.
gwillr

gwillr

IS-IT--Management
Nov 4, 2003
267
CA
I have a few forms for collecing user input. The are processed via .asp scripts. teh data from the form goes to files in a password protected area. Is it necessary or better to have the .asp files that process the input in that protected area as well?

Thanks in advance for any input.

Gary

 
Sort by date Sort by votes
Personally, I wouldn't as that may expose the location of the stored data. Ideally, you would offload the stored data to an external server (DB or some other storage resource). What I would do is have the pages that collect the data running under an SSL wrapper.
 
Upvote 0 Downvote
Thanks for the response!

It all makes sense, but, aside from offloading the stored data at regular intervals (which i will do, thanks for that suggestion), isnt the initial storage location traceable? ie: check html to view where the code is submitted (in this case it is to an .asp page) then check the asp page to see where it writes the data to. is there a way (with permissions/authentication or something) to restrict read access to the asp file that initially processes the data while still keeping it accessable for when it needs to process a new submission?

Gary

 
Upvote 0 Downvote
The client should not be able to view the contents of an ASP page remotely. If they can then you haven't locked the server down properly. The entire web site should be accessible only by the user that IIS is using to serve the content, e.g. IUSR_xxxxx. You probably want to give the systems people access as well. Don't make the web site available as a share to your internal network as then any user with the right access would be able to see the contents of any files on your network.

Generally, by default, a user can use 'view source' on the HTML but they can't view the contents of an ASP file.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

maybeimaleo
  • Locked
  • Question
Is There a Best Windows OS to Upgrade a CA Server to?
Replies
5
Views
438
maybeimaleo
maybeimaleo
edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
281
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
HyperV Virtual Switch and Physical NIC question
Replies
3
Views
290
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
General Windows Server Datacenter/Standard Licensing Question
Replies
1
Views
198
DrB0b
DrB0b
Krus1972
  • Locked
  • Question
Web.Config URL Rewrite Question
Replies
0
Views
190
Krus1972
Krus1972

Part and Inventory Search

Sponsor

Back
Top