IIS Home @ it-notebook.org

How to prevent Microsoft Access databases from being downloaded

(Kristofer Gafvert, November 5, 2005)

A common question in the public newsgroups is how to protect Microsoft Access (.mdb files) from being downloaded. It is a very important question, because if the database file is downloaded, sensitive data (usernamed and passwords) may be visible to unauthorized people.

There are several ways to prevent downloading of the database file. The best way is to not even make the file downloadable. That is, you place the file outside the home folder of the website. For example if the website's home folder is "D:\customers\2371\web" you can store the database files in the folder "D:\customers\2371\databases". By doing this, nobody can use HTTP to download the file.

Another solution to this problem is to disallow the HTTP GET verb for a specific folder where the database files are stored. Say that your website's home folder is "D:\customers\2371\web" and that the database files are stored in the folder "D:\customers\2371\web\db". In this case the file is placed in a folder that is in the home folder of the website, and the file can be accessed via HTTP. If you however deny GET on this folder, any attempt to download the file via a GET request will fail, and IIS will reply with a "403.2 - Forbidden" message.

To prevent downloads using this method, do this:

  • In IIS Manager, right click the folder "db" and click Properties (if the folder you want to protect is named "db")
  • On the Directory tab, uncheck "Read"

The third solution presented in this article is to use ASP.NET. First you need to configure IIS so that mdb files are mapped to the ASP.NET ISAPI Extension:

  • In IIS Manager, right click the website (or folder) and click Properties
  • Click on the Home Directory (or Directory) tab.
  • Click the Configuration button
  • Click the Add button
  • As Executable, select the path to the aspnet_isapi.dll ISAPI (It is probably located in C:\Windows\Microsoft.NET\Framework\\ folder). Hint: copy the path from the aspx application mapping)
  • As extension, type ".mdb" (without the quotes).
  • Uncheck "Verify that file exists"
  • Click Ok

Once this is done, the next step is to map the .mdb extension to the HttpForbiddenHandler HTTP handler. This is done in the web.config file. If you don't already have this file (you don't have any ASP.NET application), you can create this file with the following content. If you already have it, you must add the following to your web.config.

<configuration>
  <system.web>
    <httpHandlers>
      <add verb="*" path="*.mdb" type="System.Web.HttpForbiddenHandler" />        
    </httpHandlers>
  </system.web>
</configuration>

If someone requests a file with a mdb extenstion the following message will appear: "This type of page is not served.", and the file will not be served to the web browser.

Which method should I use?

Use the first one (place the file outside the website's home folder) if you can. If this is not possible, deny read permissions on the folder (or file). And if not even that is possible, use ASP.NET.

Are there any other ways?

Yes, you can for example write an ISAPI filter to do this, and you can also use URLScan to deny the .mdb extension.

What if I password protect the database using Access's password protection, am I safe?

No! If someone has been able to download the database file, they can do an offline brute force attack. It is just a matter of time until they have cracked the password for the database.

Applies to [?]

IIS 6.0

Resources

RFC 2616, section 9.3: HTTP GET
KB 815152 - HOW TO: Use ASP.NET to Protect File Types