This section briefly introduces security issues for your ASP application. A user who requests an ASP page must have the correct permissions to view the page. You can secure your ASP page by setting permissions on virtual directories and by setting file access permissions (if you are using Windows NT File System partitions) on your ASP files and folders. You can further secure your site by requiring an SSL or PCT client certificate.
For more detailed information, refer to the security topics in your operating system and Web server documentation. A complete discussion of Web site security issues is provided in a security white paper on the Microsoft Web site: http://www.microsoft.com/iis.
You must give virtual directories that contain .asp files both Read and Execute permissions in Internet Service Manager. Because you normally give such content directories only Read permissions, you may need to change the permissions for existing directories. To improve security, make sure that other executable files, such as ISAPI programs or CGI scripts, are located in separate directories with only Execute permissions.
For more information on setting permissions for virtual directories, see your Microsoft Web server’s online documentation.
If you are using the Windows NT File System (NTFS), you can set access permissions that determine which users and groups have access to files. Generally, you should grant user groups only Read access to your files and folders. You can however, assign different levels of permissions to different groups. For example, you could give a group of trusted ASP developers Read and Add permissions to the directories.
Many Web site administrators restrict the permissions granted to the anonymous logon account (IUSR_computername). If your Web server allows anonymous logons, the permissions granted to the “anonymous” user are checked before allowing access to an .asp file. If your users are having trouble accessing files in your application, double-check the permissions assigned to the IUSR_computer-name account.
For more information on setting access permissions in Windows NT, see your Windows NT documentation and “Securing Your Site Against Intruders” in your Web server’s Installation and Administration Guide.
A Web site visitor using a browser that supports either the Secure Sockets Layer (SSL) 3.0 protocol or the Private Communications Technology (PCT1) protocol can send a client certificate to prove his or her identity. A client certificate is an encrypted number that is stored in a file on the user’s computer. The browser sends the number along with a request for an ASP page. Client certificates provide a way to secure access to a Web site; they are available from a number of certification authorities.
Note: You cannot use client certificates with Personal Web Server on Windows 95.
As an ASP application developer, you can write scripts to confirm the presence of a certificate and read certificate fields. For example, you can access the user name or company name fields from the certificate. Active Server Pages stores certificate information in the ClientCertificate collection of the Request object. For more information, see Object Reference.
Your Web server must be configured to request a client certificate; otherwise the ClientCertificate collection will be empty. By default, Internet Information Server and Peer Web Services do not request certificates. You can set up your Web server to request certificates for one or more virtual directories.
To configure your server to request a certificate:
For Internet Explorer version 3.0 and later, requesting a certificate is the same as requiring a certificate because the user cannot continue if no certificate is provided.
You can use client certificates alone or together with certificates installed on your Web server that authenticate your Web site to browsers. For more information on installing server certificates, see “Securing Your Site Against Intruders” in your Web server’s Installation and Administration Guide.
A user who requests an ASP page cannot see the scripts contained in the .asp file. Using a browser’s View Source command simply reveals the HTML tags and text that have been returned to the browser after the scripts have been executed. You may want to keep scripts hidden on the server so that users cannot freely copy them.
The Adventure Works sample site includes an .asp file that displays the source scripts of the pages in the Adventure Works application. You can move the file Code.asp into your own ASP-based application if you want your script code to be visible to users who visit your site. Visit the Adventure Works sample site to see an example of how you could use Code.asp.