Just to entertain myself while I’m gainfully unemployed I’ve been toying with an ASP.NET website. It accesses an access database that I created stored in the AppData directory of the site.
I’d like to add a login/password feature, but I’ve noted that if you know the name of the database and the correct directory you can download the database directly, thus giving one access to all the passwords.
So … if someone has the chance, edumacate me a bit about database security in ASP.NET 3.5 and what I have to do to get around this conundrum.
Don’t put the database file inside the web root, for one.
Secondly, don’t store plaintext passwords in the database. Use a hashing function like SHA-256, and store the hashed passwords. When somebody tries to login, compare the hash of the password they provide to what’s in the database.
Yeah, I was hoping to find a way around that. Microsoft’s Login system doesn’t translate well to a 64 bit system which is what I’m running right now. I’m running Windows 7 Home Edition and the only way I can use the 32 bit system is to upgrade to the Professional or Enterprise Editions. So I’m trying to find a workaround before I break down and cough up the 200 bucks for that.
All the common file extensions that you don’t want to serve are usually setup by default when IIS is installed. *.mdb files should certainly be blocked. If your IIS is serving *.mdb then that suggests something didn’t get quite right in your IIS or .NET installation. It might be worth running aspnet_regiis.exe.
The previous advice is good too. It’s usually best for this stuff to not be in the web root at all but I think Microsoft provided this feature to help people who are using low cost shared hosting where you sometimes only get access to the web root.