本文由无名足轻贡献
doc文档可能在WAP端浏览体验不佳。建议您优先选择TXT,或下载源文件到本机查看。
asp 安全英文文献及翻译 ASP security environment analysis Abstract Article from the overall situation of the Asp system, from the Web server, database client, Asp Programming Asp three areas of security technology for the analysis and conclusion, and pointed out that security should be based on Asp prevention. I. Introduction Asp is a Microsoft server-side scripting environment, it is the script, HTML, ActiveX components combine to form a dynamic, interactive and efficient Web server applications. At present, IIS + ASP + SQL (or Access) program has become the small and medium-sized enterprises to build their own online information system of choice for the program. Although the Asp has the ability to quickly develop, but there are Asp security vulnerabilities that can not be ignored, these security issues is Asp developers and managers have been working to resolve. This paper attempts to client from the server, database client, Asp Programming Asp three areas of security technology for the analysis. II. ASP analysis of the security technology (A) Web server-side security technology 1. Directory file protection (1) NTFS permissions. NTFS file system provides more security than the Fat32 file management, file access control through a table (ACL) defines the user access to files and directory-level permissions, if the user has permissions to open the file, the computer allows the user to access fi
les . Directories and files by setting access rights, the prohibition has nothing to do users of the directory file copy, modify, delete, etc. operations, restrict the invasion of the system. (2) Virtual directory and its property. Virtual directory hide the directory structure on the site of important information, in the Asp environment, a safer approach is to Asp separate scripts and HTML files stored in different directory, will be stored as HTML files read-only attribute will be stored Asp script directory attribute is set to implement. (3) To prevent the document view Asp. IIS or Code.asp own Showcode.asp document, you can view the source code of Asp procedures in order to steal information. Web server can delete or disable access to the documents stored in the files. 2. Restrict access to technology (1) IP address restrictions. IIS will authorize or reject a specific IP address of their visit, by refusing a visit to a specific IP address in order to exclude interference invasion. The setting: A start ISM (Internet Service Manager); B start page Web Properties "Advanced" tab; C for the specified IP address control settings. (2) User Access Control. IIS site provides resources for anonymous access and authentication control settings, Web server set up on the basis of the identity of the user authentication to prevent unauthorized users with restricted content Http connection. Specific settings: in
the Web site of the "Directory Security" property page, select the "Anonymous access and
authentication control" for editing. Allow anonymous access to client account IUSR-Computername to establish a connection with the Web server (to provide a random password). For non-anonymous access, there are three types of authentication: basic authentication, allows the user name and password unencrypted (clear) is sent; summary authentication, only domain controller in the domain has been supported by the network to send its value after a mixed (that is, to use "hashing" the message digest calculation) rather than password authentication. Integrated Windows authentication, the use of Secure Sockets Layer (SSL) automatically encrypted user name and password. (3) firewall technology. The purpose of the firewall for internal network or host to provide security, prevent unauthorized access to information resources, mandatory for all connections to go through this protective layer. Including the packet filtering firewall and proxy two, packet filtering is a specific IP address for the services provided by the host, and its basic principle is that in the IP network layer and IP packet intercepted exchanges of information, to determine whether to forward this IP packet. Acting on the basic principles of Web services to construct a single agent, does not allow clients directly interact with the server, it is necessary to be both agent interaction information. In the actual build, it is usually provided by the filter the first-class security protection, and then from the proxy server to provide more advanced security mechanisms. 3. Auditing and monitoring technology. Responsible for safety audits of all kinds of surveillance systems and security-related inci
dents, generating security logs, and provide strategy, designated to review the types of security incidents. Specific settings: in the "Administrative Tools - Local Security Policy - Local Policies - Audit Policy" to open the necessary audit. In addition to the security log, system log and application log monitoring tools are also very good, and they record the user from the registry until the whole process for network security and provide a reliable basis for analysis. 4. SSL security mechanism. SSL (Secure Socket Layer) is a run on Http and TCP layer between layers of security protocols to ensure that the transmission of information security. SSL is in the public key and private key on the basis of, any user can access the public key to encrypt data, but data must be decrypted by the corresponding private key. Currently, SSL has been on the Internet as a Web browser and server standard security measures. SSL technology has been established as a result of all the major browsers and Web server process, therefore, only the installation of a digital certificate or server certificate on the server functionality can be activated. After the establishment of SSL security mechanism, and only allow SSL clients and
asp资讯网站源码SSL in order to allow the Web site to communicate, use the browser to connect to Https: / / address, rather than the URL of the agreement.1671
5. The unused services and protocols, to plug the loopholes in the system and the back door. "Usele
ss as little as possible to open the service", if the opening of a service, it is necessary to guard against the vulnerabilities that may arise from services. At the same time, the operating system to regularly
download, IIS, ASP and the latest vulnerability patch DBMS will likely minimize the security risks.
(B) ASP Programming Security Technology Asp programming security mainly involves two aspects: First, the safety of Asp source code, and the other is the design of Asp safety procedures. Common security technology are as follows: 1. User name, password mechanism. User name, password security is a basic technology, often used in the Asp form Form submitted by the user to enter the account number and password, database and user ID match the corresponding fields. 2. Cookie security. In order to prevent unauthorized users access to the legitimate user's session variables, server SessionID for each assigned a randomly generated number. Whenever the user's Web browser returns a SessionID Cookie, the server out of the figures have been given SessionID, inspection and storage on the server if the generated numbers, and if not then do not allow users to access session variables. At the same time, encryption is important Sessionid Cookie. Once the hackers intercepted user Sessionid Cookie, will be able to impersonate the user to start a conversation activities. ASP 环境下的安全技术分析 摘要 文章从 Asp 系统的全局出发,从 Web 服务
器端、数据库端、Asp 程序设计三个方面对 Asp 的安全技术进行分析和总结,并指出 Asp 的安全应以预防为主。 Asp 是微软推出的服务器端脚本环境,它把脚本、HTML、ActiveX 组件有机地结合在一起, 形成动态、交互、高效的 Web 服务器应用程序。目 前,IIS+ASP+SQL(或 Access)方案已成为 中小型企业构建自己网上信息系统的首选方案。 虽然 Asp 具有快速开发能力, Asp 也存在不容 但 忽 视的安全漏洞,这些安全问题是 Asp 程序开发者和管理者一直努力解决的问题。本文试图从 服务器端、数据库端、Asp 程序设计三个方面对 Asp 的安全技术进 行分析。 一、2 ASP 的安全技术分析 (一) Web 服务器端的安全技术 1.目录文件的保护 (1) NTFS 权限。 NTFS 文件系统提供了比 Fat32 更为安全的文件管理方式,它通过文件访问控制表(ACL)定义了 用户访问文件和目录的权限级别,如果用户具有打开文件的权限, 计算机则允许该用户访问文 件。通过设定目录和文件的访问权限,禁止无关用户对目录文件进行复制、修改、删除等操作, 限制对系统的入侵。 (2) 虚拟目录及
其属性设置。 虚拟目录隐藏了有关站点目录结构的重要信息,在 Asp 环境下,较安全的做法是将 Asp 脚本和 HTML 文件分开存放在不同的目录下,将存放 HTML 文件的目录设为只读属性,将存放 Asp 脚本的 目录设为执行属性。 (3)防止查看 Asp 文件。 IIS 自带的 Code.asp 或 Showcode.asp 文件, 可以查看 Asp 程序的源代码, 从而窃取相关的信息。 可以在 Web 服务器端删除该文件或者禁止访问存放该文件的目录。 2.限制访问技术
(1)IP 地址限制。 IIS 能够授权或拒绝特定 IP 地址对其访问,通过拒绝某特定 IP 地址的访问,以排
除入侵干扰。 具体设置:A 启动 ISM(Internet 服务管理器);B 启动 Web 属性页中"高级"选项卡;C 进行 指定 IP 地址的控制设置。 (2)用户访问控制。 IIS 提供了对站点资源进行匿名访问与验证控制设置, Web 服务器根据设置对用户的身份进行验 证,阻止未授权用户与受限制内容建立 Http 连接。具体设置:在 Web 站点的"目录安全性"属 性页中选择"匿名访问和验证控制"进行编辑。 匿名访问允许客户端以 IUSR-Computername 为帐 号与 Web 服务器 建立连接(密码随机提供)。对于非匿名访问,有三种验证方式:基本验证, 允许用户名及密码以未加密(明文)方式发送;简要验证,仅在域控制器的域中被支 持,它通 过网络发送经过混编的值(即利用"散列算法"计算的消息摘要)而不是密码进行验证。集成 Windows 验证,使用安全套接字层(SSL)自动加密 用户名和密码。 (3)防火墙技术。 防火墙的目的是为内部网络或主机提供安全保护, 阻止对信息资源的非法访问, 强制所有连接都 必须经过 此保护层。 防火墙包括包过滤和代理两种, 包过滤主要是针对特定 IP 地址的主机所提 供的服务, 其基本原理是在网络传输的 IP 层截获往来和 IP 包信息, 确定是 否对此 IP 包进行转 发。 代理的基本原理是对 Web 服务单独构造一个代理程序, 不允许客户程序与服务器程序直接交 互,必须通过代理程序双方才能进行信息的交 互。在实际构建时,通常由过滤器提供第一级的 安全防护,再由代理服务器提供更高级的安全防护机制。 3.审核与监视技术。 安全审核负责监视 系统中各种与安全有关的事件, 生成安全日志, 并提供查看安全日志的方法。 通过分析安全日志,可以发现并阻止各种危及系统安全的行为。Windows2K 默 认安装下,安全 审核是关闭的。要进行审核,必须先确定审核策略,定要审核的安全事件的类别。具体的设置: 在"管理工具-本地安全策略-本地策略-审核策略"中打开必要的审核。除了安全日志,系统日 志和应用程序日志也是 很
好的监视工具, 它们记录了用户自登录开始直到退出的整个操作过程, 为网络安全分析提供可靠的依据。 4.SSL 安全机制。 SSL (Secure Socket Layer)是一个运行在 Http 层和 TCP 层间的安全协议,确保传递信息的安 全性。SSL 是工作在公共密钥和私有密钥基础上的,任何用户都可以获取公共 密钥来加密数据, 但解密数据必须要通过相应的私有密钥。目前,SSL 已被视为 Internet 上 Web 浏览器和服务器 的标准安全性措施。由于 SSL 技术已 建立到所有主要的浏览器和 Web 服务器程序中,因此,仅 需安装数字证书或服务器证书就可以激活服务器功能。 建立 SSL 安全机制后, 只有 SSL 允许的客 户才 能与 SSL 允许的 Web 站点进行通信,浏览器连接到使用 Https://的地址,而不是 URL 中的 协议
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论