Encryption Module for IIS

IIS 6 installation instructions

Important: Restart the application pool after setting/changing the password.

Important: If IIS is a different server, install DbDefence Configurator and Client DLL on that server.

There is an alternative method to unlocking access to the database. You may allow access to the encrypted database for certain SQL Server logins.

Like any other client application, web applications are also affected by access restrictions (if you restrict access). You also need to run unlocking SQL statement to unlock access.

To simplify that process, DbDefence includes a special module that intercepts all database connections from IIS process. It executes an unlocking statement before any other SQL command from a web application.

Start Configurator and navigate to Web Pools/Application section (it appears only if IIS is installed)

Pools

By default all applications run in DefaultAppPool. You may set the passwords for default pool; however, for better security, we recommend you make a copy of the default pool and assign this pool to certain applications using an encrypted database. You can create pools with IIS Manager.

So, in our case, pool1 is just a copy of the default pool.

Now we simply enter the name of the protected database and its encryption password and click "Save".

Setpassword

You need to restart your web application with IIS Manager for the changes to take effect.

That's all!

Performance considerations

There is a small performance degradation because for every connection, the DbDefence module needs to check whether there are encrypted databases with the given name or not. Luckily IIS uses connection pooling, so the checking doesn't happen too often.

Security considerations

Passwords are securely encrypted and stored on the server. Passwords are not transferable to another server and can't be recovered (in a reasonable amount of time). Web applications can't read and display passwords as is possible with Microsoft Secure Configuration.

Verifying Installation

The module is represented by a single DLL acdbdiis.dll and installed automatically into the INETSRV folder if IIS is installed on the target computer. You can see it by viewing the Modules page in IIS Manager:

Globalmodules

Modulelist

As you can see, there are different DLLs for 32- and 64-bit applications.

Uninstall

To remove the module, do not just delete the files! This will lead to a "Service Unavailable" error.

If you think that the module interferes with your application, you may uninstall it with the commands:

c:\windows\system32\inetsrv\appcmd uninstall module "DbDefence Database Access"
c:\windows\system32\inetsrv\appcmd uninstall module "DbDefence Database Access 64"

Alternatively you may use unlocking by SQL login

Troubleshooting

If there is a problem with the module, your application gets the "Service Unavailable" error and tge pool is stopped. Take a look in Event Log to find the problem.

IIS 6 installation

Installer does not automatically install required modules.

To enable the module, you need to install the ISAPI filter manally. Read more about it on the Microsoft site:

www.microsoft.com/technet/prodtechnol/WindowsServer2003/Libr ary/IIS/54c41c83-3723-4695-9bf1-9f7b1f674be0.mspx?mfr=true

DbDefence supplies 2 ISAPI filters, acdbdiis.dll and acdbdiis64.dll, for 32- and 64-bit OS. Those files are copied into %WIN%\SYSTEM32\INETSRV.

You need to install the appropriate ISAPI filter manually depending on your OS platform. Set up passwords as usual with the Configurator GUI. Restart the target application pool in IIS Manager after setting the passwords.