1

I'm looking for a way to increase security on some older web apps. They currently have their connection strings saved in plain text in an include.asp file. Ideally I was thinking of moving these to a web.config file and encrypting this using aspnet_regiis.exe, but this does not work for Classic ASP.

I've had a look around the internet but cannot find anything that seems to fit this specifically, has anyone run into the same issue before?

user692942
  • 16,398
  • 7
  • 76
  • 175
Luiz
  • 21
  • 4
  • 3
    Possible duplicate of [Encrypting connection string in classic asp](http://stackoverflow.com/questions/337663/encrypting-connection-string-in-classic-asp) – user692942 Jul 06 '16 at 12:04
  • You can store the connection string in "global.asa"... http://stackoverflow.com/questions/30867462/classic-asp-global-asa-sql-server-2008-connection-string – Foxbox Jul 06 '16 at 18:14

1 Answers1

0

The best way to protect your include.asp is to use anonymous authentication on the site and be sure to set the NTLM security of that file so that it can only be read by the user used by IIS.

If that is not possible you can obfuscate the string in a number of ways but almost none will be very secure, so you can avoid these strings being seen by the casual nosy user but not to a hacker.

  • you can use your own crypt and decrypt function, but they will be visible themselves in the .asp files, see here and here for examples

  • you can use an external crypt and encrypt tool that is run from your .asp like this (i use this to run a Ruby script and get the results, replace the command executed by yours)

    set objWShell = CreateObject("WScript.Shell") 
set objCmd = objWShell.Exec("cmd.exe /c c:\Ruby193\bin\ruby.exe d:\inetpub\site\appl\RMW\import\import.rb")
result = objCmd.StdOut.Readall()
errors = objCmd.STDERR.Readall() 
set objCmd = nothing
set objWShell = nothing

  • You could use Windows Script Encoder if your OS supports it, see

Community
  • 1
  • 1
peter
  • 41,770
  • 5
  • 64
  • 108