asp安全英文文献及翻译
ASP security environment analysis Abstract
Article from the overall situation of the Asp system, from the Web server, database client, Asp Programming Asp three areas of security technology for the analysis and conclusion, and pointed out that security should be based on Asp prevention.
I. Introduction
Asp is a Microsoft server-side scripting environment, it is the script, HTML, ActiveX components combine to form a dynamic, interactive and efficient Web server applications. At present, IIS + ASP + SQL (or Access) program has become the small and medium-sized enterprises to build their own online information system of choice for the program. Although the Asp has the ability to quickly develop, but there are Asp security vulnerabilities that can not be ignored, these security issues is Asp developers and managers have been working to resolve. This paper attempts to client from the server, database client, Asp Programming Asp three areas of security technology for the analysis.
II. ASP analysis of the security technology
(A) Web server-side security technology
1. Directory file protection
(1) NTFS permissions.
NTFS file system provides more security than the Fat32 file management, file access control through a table (ACL) defines the user access to files and directory-level permissions, if the user has permissions to open the file, the computer allows the user to access files . Directories and files by setting access rights, the prohibition has nothing to do users of the directory file copy, modify, delete, etc. operations, restrict the invasion of the system.
(2) Virtual directory and its property.
Virtual directory hide the directory structure on the site of important information, in the Asp environment, a safer approach is to Asp separate scripts and HTML files stored in different directory, will be stored as HTML files read-only attribute will be stored Asp script directory attribute is set to implement.
(3) To prevent the document view Asp.
IIS or Code.asp own Showcode.asp document, you can view the source code of Asp procedures in order to steal information. Web server can delete or disable access to the documents stored in the files.
2. Restrict access to technology
(1) IP address restrictions.
IIS will authorize or reject a specific IP address of their visit, by refusing a visit to a specific IP address in order to exclude interference invasion. The setting: A start ISM (Internet Service Manager); B start page Web Properties "Advanced" tab; C for the specified IP address control settings.
(2) User Access Control.
IIS site provides resources for anonymous access and authentication control settings, Web server set up on the basis of the identity of the user authentication to prevent unauthorized users with restricted content Http connection. Specific settings: in the Web site of the "Directory Security" property page, select the "Anonymous access and authentication control" for editing. Allow anonymous access to client account IUSR-Computername to establish a connection with the Web server (to provide a random password). For non-anonymous access, there are three types of authentication: basic authentication, allows the user name and password unencrypted (clear) is sent; summary authentication, only domain controller in the domain has been supported by the network to send its value after a mixed (that is, to use "hashing" the message digest calculation) rather than password authentication. Integrated Windows authentication, the use of Secure Sockets Layer (SSL) automatically encrypted user name and password.
(3) firewall technology.
The purpose of the firewall for internal network or host to provide security, prevent unauthorized access to information resources, mandatory for all connections to go through this protective layer. Including the packet filtering firewall and proxy two, packet filtering is a specific IP address for the services provided by the host, and its basic principle is that in the IP network layer and IP packet intercepted exchanges of information, to determine whether to forward this IP packet. Acting on the basic principles of Web services to construct a single agent, does not allow clients directly interact with the server, it is necessary to be both agent interaction information. In the actual build, it is usually provided by the filter the first-class security protection, and then from the proxy server to provide more advanced security mechanisms.
3. Auditing and monitoring technology.
Responsible for safety audits of all kinds of surveillance systems and security-related incidents, generating security logs, and provide 原文请找腾讯752018766优,文-论~文^网http://www.youerw.com strategy, designated to review the types of security incidents. Specific settings: in the "Administrative Tools - Local Security Policy - Local Policies - Audit Policy" to open the necessary audit. In addition to the security log, system log and application log monitoring tools are also very good, and they record the user from the registry until the whole process for network security and provide a reliable basis for analysis.
4. SSL security mechanism.
SSL (Secure Socket Layer) is a run on Http and TCP layer between layers of security protocols to ensure that the transmission of information security. SSL is in the public key and private key on the basis of, any user can access the public key to encrypt data, but data must be decrypted by the corresponding private key. Currently, SSL has been on the Internet as a Web browser and server standard security measures. SSL technology has been established as a result of all the major browsers and Web server process, therefore, only the installation of a digital certificate or server certificate on the server functionality can be activated. After the establishment of SSL security mechanism, and only allow SSL clients and SSL in order to allow the Web site to communicate, use the browser to connect to Https: / / address, rather than the URL of the agreement.1671