Encryption module for IIS

IIS 6 installation instructions

Important: Restart application pool after setting/changing the password.

Important: If IIS is a different server, install DbDefence Configurator and Client DLL on that server.

Update: There is an alternative method accessing encrypted database. You may allow access to encrypted database for certain SQL Server logins automatically.
Read more at http:www.database-encryption.com/support/dbdefence-documentation/automatic-keys

Like any other client applications web applications are also affected by access restrictions (if you restrict access). You also need to run unlocking SQL statement to unlock access.

To simplify that process DbDefence includes special module that intercepts all database connections from IIS process. It executes unlocking statement before any other SQL commands from web application.

Start Configurator and navigate to Web Pools/Application section (it appears only if IIS is installed)

Pools

By default all applications run in DefaultAppPool, you may set passwords for default pool; however for better security we recommend you to make a copy of default pool and assign this pool to certain applications using encrypted database. You can create pools with IIS Manager.

So, in our case pool1 is just a copy of default pool.

Now we simply enter the name of protected database and its password and press "Save".

Setpassword

You need to restart your web application with IIS Manager to changes take effect.

That's all !

Performance Considerations

There are very small performance degradation because for every connection DbDefence module needs to check if there are encrypted databases with the given name or not. Luckily IIS uses connection pooling, so those checking don't happen too often. So actually you will not notice any performance degradation.

Security Considerations

Passwords securely encrypted and stored on the server. It is not transferable to another server and can't be recovered (in reasonable amount of time). Web application can't read and display password like it is possible with Microsoft Secure Configuration.

Verifying Installation

The module is represented by single DLL acdbdiis.dll and installed automatically into INETSRV folder if IIS is installed on the target computer. You can see it by viewing Modules page in IIS Manager:

Globalmodules

Modulelist

As you see there are different DLLs for 32 and 64 bit applications.

Uninstall

To remove the module do not just delete files! It will lead to "Service Unavailable" error.

If you think that module interfere with your application you may uninstall it with the commands:

c:\windows\system32\inetsrv\appcmd uninstall module "DbDefence Database Access"
c:\windows\system32\inetsrv\appcmd uninstall module "DbDefence Database Access 64"

Troubleshooting

If there is a problem with the module, your application get Service Unavailable error and pool is stopped. Take a look in Event Log to find the problem.

IIS 6 installation

Installer does not automatically install required modules.

To enable module you need to install ISAPI filter manally. Read more about it on Microsoft site:

www.microsoft.com/technet/prodtechnol/WindowsServer2003/Libr ary/IIS/54c41c83-3723-4695-9bf1-9f7b1f674be0.mspx?mfr=true

DbDefence supplies 2 ISAPI filters acdbdiis.dll and acdbdiis64.dll for 32 and 64-bit OS. Those files are copied into %WIN%\SYSTEM32\INETSRV.

You need to install appropriate ISAPI filter manually depending on your OS platform. Setup passwords as usually with the Configurator GUI. Restart target application pool in IIS Manager after setting passwords.