How can I make the Active Server Pages (ASP) files on my server unreadable to those who might gain access to the script?
As you probably know, if a user can access the ASP script files that run on a server, that person can clearly see the details of the software, including variables in use, paths to calling programs, database connections, and even embedded passwords or authentication schemes. If Microsoft IIS is working properly, users should see only the result of running the script; however, various vulnerabilities have enabled users to access ASP source code. For information about two such vulnerabilities, see the Microsoft articles "Malformed HTR Request Returns Source Code for ASP Scripting Files" at http://support.microsoft
.com/support/kb/articles/q260/0/69.asp and "Virtual Directory Mapped to UNC Returns Server-Side Script Code When URL Contains Additional Characters at the End of the Request" at http://support
.microsoft.com/support/kb/articles/q249/
5/99.asp.
Windows 2000 Service Pack 1 (SP1) fixes the Server-Side Script Code bug but not the Malformed HTR Request bug. In addition, anyone who can access the IIS server files with Read permissions by any means other than Microsoft Internet Explorer (IE) can peruse the source code. Because of script vulnerabilities, some administrators don't use scripting on their sites, insisting on harder-to-develop, faster-to-execute, and harder-to-read compiled code in the form of isapi.dll or custom COM objects.
To solve the ASP-script security problem, Microsoft has released Windows Script Encoder, which is available at no cost as part of the updated Windows Script (WS) engine at http://msdn.microsoft
.com/scripting. The encoder obscures readable ASP script so that it makes no sense to the viewer looking at the script.
The encoder is fairly straightforward, but you should use it with care. First, you should use the encoder only on your final, debugged code. Error messages reporting problems in encoded script tend not to be as useful as error messages in unencoded script. For example, the line numbers specifying where an error occurred can be wrong, which makes identifying the problem more difficult. Second, encoding is a one-way process. So, after you debug your script and use the command
screnc sourcefile outputfile
to encode the script, .html file, .txt file, or scriptlet, users can't decode the encoded file to yield your source—and you can't either.
The encoder lets you encode all your ASP files at one time and place them in a target directory. For example, to encode all ASP files and place them in the asp
encoded directory, you use the command
screnc *.asp c:\aspencoded
You can also encode just a portion of a script. You use the **Start Encode** special marker to indicate where encoding should begin in your script, as Listing 3, page 84, shows. Anything after the marker is encoded. During encoding, the scripting language reference changes to indicate that the script is encoded. For VBScript, the reference looks like this:
<SCRIPT LANGUAGE="VBScript
.Encode">
For JScript, the reference looks like this:
<SCRIPT LANGUAGE="JScript
.Encode">
Finally, note that the encoded script won't work unless you update your WS engine to version 5.5. This update applies to Win2K, Windows NT 4.0, Windows 98, and Win95 OEM Service Release 2 (OSR2).