Verifying order database security

Once you Web site is published you should routinely verify the security of your web site by doing the following things.

Archive the order Database

We suggest that you maintain an archive of the shop.mdb from the /fpdb folder locally and that only a certain limited number of orders be left in the shop.mdb. This is simply routine commonsense security.

Verify the Virtual Directory permissions for the /fpdb folder are correct. IMPORTANT

If you open a web browser and type http://www.yourdomain.com/fpdb/shop.mdb you should not be able to download your orders, if you can the virtual directory permissions of your /fpdb folder are incorrect. If your server is incorrectly installed, follow this procedure to correct them.

1. The virtual directory permissions of the /fpdb folder MUST be as follows. If not, your ISP service provider needs to change them with IIS's Microsoft Management Console or anyone will be able to download your shop.mdb file. This is the file where your customers credit card information is stored. The Read Access permissions for the virtual directory in IIS's Microsoft Management Console must be unchecked.

Warning! It is this Virtual directory and script permissions that truly allow someone to download a file. By Default, virtual application folders only have Write Access or Read Access and not Read and Write. Since the Virtual Directory permissions of /fpdb folder, only has write access, the server will not allow anyone to download or READ the order database /fpdb/shop.mdb from a Web browser. If you can, and you should test this, then the virtual directory permissions need to be changed to Write only in the IIS properties.