Securing BDRefresh.asp, RefreshApp.asp, and Opt-Out.asp

The BDRefresh.asp script clears the Business Desk cache, and the RefreshApp.asp script clears the Profiles cache. Clearing either of these caches repeatedly could lead to a denial of service for users. The opt-out.asp file adds a user to the opt-out list of a direct mail campaign. Malicious access to the opt-out.asp file could also lead to a denial of service for users.

It is recommended that you limit permissions on the BDRefresh.asp, RefreshApp.asp, and opt-out.asp files so that unauthorized users cannot run these scripts. By default, BDRefresh.asp, RefreshApp.asp, and opt-out.asp are located in the root folder of an unpacked Solution Site and are granted anonymous access.

Ee796631.note(en-US,CS.20).gifNote

  • Commerce Server Solution Sites require that you grant anonymous access to these files. To prevent denial of service attacks, it is critical that you secure these files.

You secure these files by granting access only to the specific Business Desk users that need access to these files. It is recommended that you use both of the following procedures for securing these files:

  • Set IP address access restrictions to secure these files. Setting this restriction on a file allows access by a user from the configured IP address only.
  • Grant access to a particular Windows user account. Setting this restriction on a file allows access only by a user with a particular Windows account, or who is a member of a particular Windows user group.

Ee796631.note(en-US,CS.20).gifNote

  • If your site is configured for Windows Authentication, it is recommended that you use both procedures listed above to secure these files. Otherwise, use only IP address access restrictions.

To set IP address access restrictions for BDRefresh.asp, RefreshApp.asp, and opt-out.asp

  1. Click Start, point to Programs, point to Administrative Tools, and then click Internet Services Manager.

  2. In Internet Information Services, in the Tree pane, navigate to BDRefresh.asp.

    Ee796631.note(en-US,CS.20).gifNote

    • The BDRefresh.asp, RefreshApp.asp, and opt-out.asp files exist in the root folder of your Commerce Server Solution Site.
  3. Right-click BDRefresh.asp, and then click Properties.

  4. On the File Security tab, in the IP address and domain name restrictions section, click Edit.

  5. In the IP Address and Domain Name Restrictions dialog box, click Denied Access to add the IP addresses of the computers on which you want to deny access, and then click Add.

  6. In the Grant Access On dialog box, enter the IP address of the computer on which you want to deny access, and then click OK. All other computers will be granted access.

    Repeat steps 5 and 6 to add additional IP addresses of computers you want to deny access to BDRefresh.asp.

  7. In the IP Address and Domain Name Restrictions dialog box, click OK.

  8. In the <filename> Properties dialog box, click OK.

  9. Repeat steps 2 through 8 to secure the RefreshApp.asp and opt-out.asp files.

  10. Restart IIS. For information about restarting IIS, see Restarting IIS and Commerce Server Services.

To grant access to specific Windows user accounts for BDRefresh.asp, RefreshApp.asp, and opt-out.asp

Ee796631.note(en-US,CS.20).gifNote

  • This procedure requires that the site be installed on an NTFS partition. For more information about NTFS, see Windows 2000 Server Help.
  1. Click Start, point to Programs, point to Accessories, and then click Windows Explorer.

  2. Navigate to BDRefresh.asp.

    Ee796631.note(en-US,CS.20).gifNote

    • The BDRefresh.asp, RefreshApp.asp, and opt-out.asp files exist in <drive>: \Inetpub\wwwroot\<sitename>.
  3. Right-click BDRefresh.asp, and then click Properties.

  4. In the **<filename>Properties dialog box, on the Security tab, in the Name box, select Everyone, and then click Remove.

  5. Click Add to add the appropriate users and/or groups of users.

    Ee796631.note(en-US,CS.20).gifNote

    • Appropriate users are Business Desk users to whom you want to allow access to these files.
  6. Click OK to close the Select Users, Computers, or Groups dialog box.

  7. Click OK to close the ***<filename>***dialog box.

  8. Repeat steps 2 through 8 to secure the RefreshApp.asp and opt-out.asp files.

Copyright © 2005 Microsoft Corporation.
All rights reserved.