IIS 5 & IIS 6
Server Side Includes and Security
Last post Nov 02, 2008 09:26 PM by MikePixel
Nov 02, 2008 02:45 PM|MikePixel|LINK
I looked around the site for a forum search and couldn't find one. I hope this hasn't been answered anywhere else. If it has I apologize.
My question is about server side includes and security. I love to use includes for menus and footers for my websites, but my supervisor, who I respect a lot, said that I shouldn't use them because it just opens up security issues.
I can understand his worries but I want to know from the IIS experts what risks I incur by using asp includes and whether or not there may be a better solution.
Oh and I am using server 2003 and IIS 6.
Thanks for your time,
Nov 02, 2008 05:10 PM|steve schofield|LINK
I would recommend using include files. What your supervisor is probably concerned about having connection strings in files named
connectionString.inc or something similar, this could display sensative information. All you need to do is make sure your includes have a .ASP extension, this will ensure your code is processed by the ASP.DLL and not display sensative information
such as a connection string or other credentials. If you can provide more information why your supervisor is concerned, I'm sure we could provide some direction.
Windows Server MVP - IIS
Log archival solution
Install, Configure, Forget
Nov 02, 2008 05:28 PM|MikePixel|LINK
My supervisor agrees with me that if I am just using the following includes that there isn't much risk.
The only issue he has is that the site is just static content and allowing for any server side interaction makes us more vulnerable. He wants to stick with plain old html so we wouldn't have to worry at all. He believes that just using asp extensions for
includes is not worth it.
Nov 02, 2008 08:39 PM|steve schofield|LINK
What you are describing falls into a 'management decision' vs. a technical one. Technically if your site static content, then HTML is the best way to go. There is a slight risk of being vulernable using ASP. There has been one ASP exploit in recent years.
MS has a patch for it.
Regardless, I think the topic should be not if you use HTML vs. ASP rather a security and locking down your server discussion. If you don't need or use ASP, then turn off the functionality. If your site is a brochure site, you can remove all the dynamic
script mappings that support ASP, ASP.NET and others.
In the end, regardless how you go, I think the risk is about the same, it's splitting hairs. If you are looking for a better, more secure way, HTML will win. "A server is only as good as the person(s) administering it.". Hope there is some advice in there.
Nov 02, 2008 09:26 PM|MikePixel|LINK
Thanks a bunch. I really appreciate your time.
I will spend some time looking at IIS and server security best practices. That way I have my bases covered when I am using ASP.net or ASP in the future.
Thanks again for your time,