Page 146 - DCAP309_INFORMATION_SECURITY_AND_PRIVACY
P. 146

Information Security and Privacy




                    Notes          Also, if a company accesses a Web application to use its database — with such scripts in Active
                                   Server Page, or ASP.NET technology — and the scripts crash, it can possibly disclose its source
                                   code when it generates an error report.
                                   In this case, limiting database access to the accurate users is necessary. If through appropriate
                                   security gauges the database access is already restricted to the true users, any script crashes will
                                   not disclose database connection information to the erroneous users.
                                   This takes place more than a few times — the database connection name and password for all the
                                   world to view.  It is recommended to change the password for the database  connection on a
                                   regular basis, which adds just one more layer of security to the procedure.
                                   Table Access Control: The access control table is the most general type of securing a database.
                                   A suitable use of the table access control includes a close association among the administrator
                                   and the base developer.

                                   Restricting Database Access: There are situations when access to a specific database should be
                                   restricted to some assured users. The NCSA httpd server has incorporated user authentication
                                   traits that can be simply adapted to function with an online database.
                                   What to Protect


                                   The server authentication scheme is proposed to handle access to file system objects. Access can
                                   be approved to some people or sites or certain sites can be declined access.
                                   Here, we consider a CGI script we want to control access to since it comprises the database
                                   interface routines. Access control can be recognized in the directory where the CGI script appears
                                   and only selected users or sites will be able to interact with our database.

                                   If all of our interface functions are contained in a single executable  then protecting certain
                                   interface functions from illegal access is a little difficult. You can perform this by creating a
                                   symbolic link to the CGI executable in a secluded directory and calling the secluded version
                                   whenever a prohibited procedure is preferred.

                                   The Access Control File

                                   In the directory where the secluded script appears, generate a file known as .htaccess. In the file,
                                   put the following:

















                                   Select a suitable name and  directory for  AuthUserFile, which will be  generated shortly.  It
                                   should not be in the secluded directory, as it will enclose all the usernames and passwords for
                                   access to that directory. The AuthGroupFile can be accessed to set up access for particular groups,
                                   which are defined in a “group file”.
                                   The AuthName above is the name of the form that will emerge on the dialog box asking for a
                                   password.



          140                               LOVELY PROFESSIONAL UNIVERSITY
   141   142   143   144   145   146   147   148   149   150   151