Below are some recommendations for steps to take to secure your store's Access database. Some of these require administrator access to the server on which the ASP application resides. If you do not have administrator rights on your website's server, then you will need to ask your hosting service for assistance.

Disable directory browsing

1. Disable directory browsing on your web site. This will keep an unscrupulous web surfer from easily learning the names of your database and the directory in which your store's database resides.

Rename database folder and database

2. Rename the demo database that comes in your download package as well as the folder in which the demo database resides. Never use the default names. Note: Once you have renamed these two items, you will have to make changes to the connection string in the db.asp and global.asa files that came in your download package to reflect the new path to your database.

Password-protect the database

3. Take possession of the database and password protect it. Use 8 or more alpha-numeric (upper and lowercase) characters. Even if an unscrupulous person should succeed in learning the path to your database and downloading it, it will be password- protected.

To take possession of the database and set a password, open Microsoft Access. When the dialog box pops up, click the Cancel tab. Then click File>Open. Browse to the demo database. Select it, but do not open it yet. On the Open button at the bottom right of the dialog box, click the down arrow. Select Open Exclusive. The database opens. Go to Tool on the menu bar. Select Security>Set Database Password.

Encryption of credit card numbers

4. Encrypt credit card information stored in the database. Included with all of our applications, except the Free version which is not credit card-enabled, is an encryption utility for encrypting credit card numbers stored in the database.

Deselect "Read" on database folder

5. Once you have done all the above, have uploaded the application to a subweb or virtual directory on your web site, and set the proper ASP application permissions (see HOW TO: Deploy an ASP Application to Another Server by Using Internet Information Server for configuring and deploying an ASP application), you must disable READ permissions on the server for your renamed database folder. On a hosted server, this can be done by your hosting service or, if you have administrator rights to the server, then follow the instructions below.

• Open up the IIS Management Console by clicking on "Start>Settings>Control Panel>Administrative Tools>Internet Services Manager". Select your server and web site containing the database folder from the cascading menus. Then right click on the directory containing the database and select "properties". A folder properties dialog box will pop up. Deselect "Read" in the dialog box. If you do not have permission to do this, have your hosting service do it.
• Alternatively, if you have Microsoft FrontPage, open the web in FrontPage, right-click the database directory, select Properties, then make sure that the “Allow files to be browsed” box is unchecked.

Both of the above will prevent unauthorized users who know or might guess the names of your databases from using a browser to download your data to their local computer.

Secure Socket Layer (SSL)

6. For increased protection against unscrupulous web surfers, you should always pass sensitive data from the checkout page through the Secured Socket Layer (SSL) protocol, which requires the purchase of an SSL server certificate from Thawte or VeriSign. For information about configuring our applications for SSL, please feel free to email us.