Classic ASP

Re: Server Side Includes and Security

MikePixel — Mon, 03 Nov 2008 02:26:48 GMT

Thanks a bunch. I really appreciate your time.

I will spend some time looking at IIS and server security best practices. That way I have my bases covered when I am using ASP.net or ASP in the future.

Thanks again for your time,

Re: Server Side Includes and Security

steve schofield — Mon, 03 Nov 2008 01:39:50 GMT

What you are describing falls into a 'management decision' vs. a technical one. Technically if your site static content, then HTML is the best way to go. There is a slight risk of being vulernable using ASP. There has been one ASP exploit in recent years. MS has a patch for it.

Regardless, I think the topic should be not if you use HTML vs. ASP rather a security and locking down your server discussion. If you don't need or use ASP, then turn off the functionality. If your site is a brochure site, you can remove all the dynamic script mappings that support ASP, ASP.NET and others.

In the end, regardless how you go, I think the risk is about the same, it's splitting hairs. If you are looking for a better, more secure way, HTML will win. "A server is only as good as the person(s) administering it.". Hope there is some advice in there. :)

Re: Server Side Includes and Security

MikePixel — Sun, 02 Nov 2008 22:28:12 GMT

My supervisor agrees with me that if I am just using the following includes that there isn't much risk.

The only issue he has is that the site is just static content and allowing for any server side interaction makes us more vulnerable. He wants to stick with plain old html so we wouldn't have to worry at all. He believes that just using asp extensions for includes is not worth it.

Re: Server Side Includes and Security

steve schofield — Sun, 02 Nov 2008 22:10:31 GMT

I would recommend using include files. What your supervisor is probably concerned about having connection strings in files named connectionString.inc or something similar, this could display sensative information. All you need to do is make sure your includes have a .ASP extension, this will ensure your code is processed by the ASP.DLL and not display sensative information such as a connection string or other credentials. If you can provide more information why your supervisor is concerned, I'm sure we could provide some direction.

Server Side Includes and Security

MikePixel — Sun, 02 Nov 2008 19:45:39 GMT

I looked around the site for a forum search and couldn't find one. I hope this hasn't been answered anywhere else. If it has I apologize.

My question is about server side includes and security. I love to use includes for menus and footers for my websites, but my supervisor, who I respect a lot, said that I shouldn't use them because it just opens up security issues.

I can understand his worries but I want to know from the IIS experts what risks I incur by using asp includes and whether or not there may be a better solution.

Oh and I am using server 2003 and IIS 6.

Thanks for your time,