Securing ASP Data Access Credentials Using the IIS Metabase - Where to Go From Here
(Page 4 of 4 )
You've learned how to configure the metabase, set up security, add keys and data to it, and finally read that data into a web application. These abilities serve as a foundation that will allow you to accomplish a great deal using the metabase. Now that you've completed this project, there are a lot of things you can do to take this code even further and make it truly useful.
With a little extra work, you can craft this lesson into a customized code library or component that will help you manage your usernames and passwords that might otherwise have been vulnerable. You could even build this up to the point where you have a tool that could be sold commercially. At the very least, you can use this code to retool the database driven ASP applications that you have now or might create someday.
Why not use code similar to MetaRead.asp in your global.asa file instead? You could put your metabase read function into an include file, and call it from global.asa using a single parameter to specify the key to read from. Of course, for performance reasons you shouldn't actually create your ADO connections at the application level, however, you can put these commands in an include file and have them read the credentials from application level objects created in global.asa.
Let's not forget that we could do a lot of work to automate the process of creating and populating the keys in the metabase. This goes for securing them as well. Why not build a web application to manage all of this? Just remember that you need to force the user to log in as someone for whom you've assigned write permissions to the DataAccessStorage key. Because you'd be creating new keys, you would want to be sure the user has administrator level access before allowing them to do so.
There really is a lot of uncharted territory here. Custom settings for inheritance and security can be configured on your metabase data to make administration easier on you. And, everything we've done today used only one of the many metabase data types. If you think it over for a while, you might be able to come up with a specialized use for this storage system that I haven't considered. As you play with the metabase some more, you'll find that it has other advantages as well, like replication for example.
So what are you waiting for? Get out there and make good use out of what you've learned.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
