Members

Technology Zones

Articles

Hosted By

MaximumASP

Info
Rated
Read 25,991 times
3 comments

Contents

Downloads

Related Categories

Securing ASP Data Access - Enter the Metabase

Thomas C. Carpe

Enter the Metabase

To do what I am suggesting, you are going to need some handy tools. One of these is the Metabase Editor, or MetaEdit for short. This tool is generously provided by Microsoft, and comes included in the IIS Resource Kit. You can also download it from Microsoft at:

http://support.microsoft.com/support/kb/articles/Q232/0/68.ASP.

Do yourself a favor and read the knowledge base article if you haven't already. As the name implies, MetaEdit functions with the metabase much like our old friend RegEdit did with the registry. It also shares the same caveat, that you can do a considerable amount of damage with it. Before you face that risk, back up your metabase from the IIS management console, preferably several times. It is extremely important to do this when you are writing code that manipulates the metabase itself, because you will want to be able to undo any potentially bad changes it makes.

Once you have downloaded and installed MetaEdit on your web server, open it and take a look around. You'll see that the metabase has a tree structure, very similar to the registry, or even Active Directory. In fact, like Active Directory (or any LDAP database for that matter) the metabase has a schema. The schema defines all the data types that can be defined within the metabase, in which containers they are valid, and other vital information.

So, this is where we'll begin. You need to define data types that will store the username, password, and connection string for our database. If you were connecting to LDAP or Active Directory, you'd also need to create data types for these connections. There are three paths in which your new data type will be defined. These are each listed under the /Schema/Properties path, and are Defaults, Names, and Types. If you take a direct look at the values under these paths, you can see that they are almost impossible to understand, because much of the information is stored in binary. Fortunately, you can extend the schema via the ADSI, or Active Directory Services Interface, a COM object API that allows us to interact with the metabase, as well as other directory structures. Through ADSI, we can use VBScript or ASP to bind to the metabase and define our values.

Older versions of Windows NT4.0 may not have the ADSI installed. If this is the case on your server, you can download it from Microsoft from the following URL:

http://www.microsoft.com/NTWorkstation/downloads/Other/ADSI25.asp

I have been working in IT since 1993. I founded CarpeDiem Business Internet Systems in 1995. In 2000 we incroporated and took on two partners. Its really a grat lot of fun, and I enjoy working on the high-end and cutting-edge stuff from Microsoft. I'm pretty hard up for work lately, because of the attacks in New York and DC, so if anyone has any leads, they'd really help out a lot. Come check out our web site!

This article is Copyright (c) 2001 by Thomas Carpe and CarpeDiem Business Internet Systems, Inc. Published by permission. If you would like to publish articles by myself and our staff on this or other topics, please contact us.

Comments

Read Comments | Post Comment

  • Wow!

    Posted by kruelintent on 18 Mar 2004

    Very impressive.

    Having been battling with ASP database security it is nice to know the solution is out there although it is still quite worrying that database security is quite so vunerable withou...

  • Wow!

    Posted by kruelintent on 18 Mar 2004

    Very impressive.

    Having been battling with ASP database security it is nice to know the solution is out there although it is still quite worrying that database security is quite so vunerable withou...

  • The End?

    Posted by caster_troy on 23 Jul 2002

    Is this the end of the article?