Survey and Assessment knowledgebase

ESA005: How do I secure my Survey and Assessment database?

It is possible for users to either download or open the Survey and Assessment database if the correct permissions have not been applied to the folder in which the database resides. eg by pointing a web browser at the address: http://yourserver/quiz/admin/dbase/easyquizz.mdb

To apply the correct permissions (HTTP Read-protecting the folder):

1. Open the Internet Service Manager and navigate to the 'data' folder;
2. Obtain the properties for this directory and set the IIS permissions as shown in the image below;

   
    

Notes:

1. Removing the READ Access Permission is the key to preventing web access to this folder. Removing the READ permission tells IIS that HTTP READ requests will not be allowed to this folder.

2. If you don't have access to the Internet Service Manager, ask your system administrator or ISP to make the changes for you.

3. How can an Active Server Page access the database if there is no READ access? All file access (including ASP activity) must be performed through the context of an NT user. For convenience sake, let's assume that it is the IUSR_UGUYS account. Just because IUSR_UGUYS cannot access the database via the HTTP protocol, does not mean that IUSR_UGUYS cannot access the database via an ASP script on the local file system.