PROJECT SYNOPSIS ON

Employee Outsourcing Management System

(Final Semester Major Project- MCSP-060)

Submitted By
RANA PRATAP SINGH

Under The Guidance Of

DIPAK CHOWDHURY SOFTWARE DEVELOPER

MicroPro, the Computer Professionals Park Street, Kolkata

(II) INTRODUCTION & OBJECTIVES OF THE PROJECT

II.0 INTRODUCTION Employee Outsourcing Management System (E.O.M.S) is a web based application developed in order to manage the employees information in an organization. Project Survey 3 Guys is a telecom company whose business process involves site inspection, appropriate planning, installation of Poles/Towers, aligning of antennas, and installation of BTS etc. 3 Guys outsource many employees from different companies such as Nokia, Siemens etc. for their different works such as installation of towers/poles etc. for different sites all over India. On the basis of the companies from which they are outsourcing employees there are different payments terms (30/60/90 days) after which 3 Guys will get payment for the employees salary. Employee is outsourced on the basis of two types such as Time based and Task based. Time based employees get a PO and RO Number from their company as soon as they join the company which is unique. Time based employees are hired for a long term project. Task based employees are hired for short term projects. Task based employees get a PO Number from their company as soon as they join the company but for task based employees for one PO Number there may be several employees i.e. having the same PO Number.

II.1

OBJECTIVE OF THE PROJECT

Our major project titled Employee Outsourcing Management System has been developed keeping the following objectives in mind. To develop applications suitable for an employee who are in the organization. To provide a cost-effective application to handle the company activities. To provide an application capable of retrieving various type of information to suit the needs of the employees and company.

With the ubiquity of web-based systems and the accelerated pace of web-enabling enterprise application systems, a new breed of architectures have been cultivated that address the need for high quality with the pressures of time-to-market in a web-based economy. In many cases these best-practices are emerging that enable enterprises to deliver value to their growing and changing Customer base in web time.

(III) PROJECT CATEGORY It is a Relational Database Management System written with ASP.NET

(iv)TOOLS/PLATFORM, HARDWARE AND SOFTWARE REQUIREMENT SPECIFICATIONS The proposed application will be made in ASP .NET (version 2.0) and Microsoft SQL Server 2005. IV.0 ASP.NET Framework

The ASP.NET page and controls framework is a programming framework that runs on a Web server to dynamically produce and render ASP.NET Web pages. ASP.NET Web pages can be requested from any browser or client device, and ASP.NET renders markup (such as HTML) to the requesting browser. As a rule, you can use the same page for multiple browsers, because ASP.NET renders the appropriate markup for the browser making the request. However, you can design your ASP.NET Web page to target a specific browser, such as Microsoft Internet Explorer 6, and take advantage of the features of that browser. IV.1 Introduction to RDBMS

The implementation of the relational data model is commercial system, because the relational DBMS family encompasses such a large no of products. The relational model uses a collection of tables to represent both data to represent both data and relationships among this data. Each table has multiple columns and each column has unique name. A row in a table represents a relationship among a set of values. Since a table is a collection of such relationship, there is a close correspondence between the concept and the mathematical concepts of relation from which the relational data model takes its name To quality as a genuine RDBMS, a system must have at least the following properties: It must store data as relations such that each column is independently identified by its column name and the ordering of rows is immaterial. The operation available to the user as well as those used internally by the system should be true relation operations that are they should be able to generate new relation from old relations The system must support at least one variant of the join operation.

IV.2 Database A database is a collection of data that means as assemblage of ordered, related and self contained facts that are used and retrieved together for one or more application systems.

The physical location and implementation of the database is transparent to the application programs. Actually one of the major tasks, using a computer system is to store and manage data. To handle this task, one needs a specialized computer known as a database management system. A DBMS stores, processes and retrieves data. IV.3 SQL Server 2005

Microsoft SQL Server is a database management and analysis system for CRM, line-ofbusiness, and data warehousing solutions. SQL Server 2005 includes enhanced XML support, integration of .NET Framework objects in databases, improved integration with Microsoft Visual Studio and the Microsoft Office System, as well as improved analysis, reporting, and data integration services. The new security features of Microsoft SQL Server 2005 are designed to make it more secure and to make security more approachable and understandable to those who are responsible for data protection.

IV.4

Hardware and Software Specifications Minimum Hardware Requirements (a) (b) (c) (d) (e) Intel P-4 processor 1 GB DDR2 RAM 5 GB of Free Hard Disk Space Keyboard, mouse and other necessary peripherals Printer for Printing Reports

Minimum Software Requirements (a) (b) (c) (d) Operating System: Microsoft Windows XP/2000/NT/Vista/7 Web Browser: Internet Explorer / any web browser Tools/Software Used Microsoft SQL Server 2005 (Back-end Tool) Microsoft Visual Studio 2008 (Front-end Tool) ASP.NET (3.5) using C# (e ) Web Server(IIS)

IV.V

Systems Requirements

The system requires GUI (Graphical User Interface) environment for its implementation. The system has been developed within WINDOWS XP operating system using SQL Server 2005, Visual Studio 2008 and Internet Explorer which support both background and foreground tools to develop the system. IIS should be installed in the machine.SQL Server 2005 has been chosen as the backend because of its strong safety of data. It is the database which is preferred by the market and can be easily updated with its changing versions. The Visual Studio 2008 has been chosen because it has excellent Graphical support and also supports SQL Server 2005 connection. As a result its compatibility with the backend is very high and connectivity problem is negligible.

(V) PROBLEM DEFINITION, REQUIREMENT SPECIFICATIONS, PROJECT PLANNING AND SCHEDULING During the survey phase of our project, we needed to identify the key aspects of our proposed application. Having done that, we now had the task of implementing them using our own technical knowledge. In this section, we have discussed the major problems we had faced during the design phase and how we solved them. V.0 Identified Problems The application is supposed to be accessed by both employee and the administrator of the company. For security reasons, the Administrator and employees will not have access to all the modules of the system. This required some sort of rights or access management with respect to the user. Employees will only have access to their own data only unless they are given special privileges by the administrator. According to payment terms with different companies 3 Guys will get the payment of the employees after (30/60/90) days. As result 3 Guys need to pay the salaries to the employees from the first month they are joining and they are now unable to keep the track record of the payment made to the employees which they need to show to the outsourcing companies after the end of their payment terms which remains a due to absence of proper reports Probable Solutions The user rights/access management issue will be handled by the administrator. The administrator will be responsible for creating a user account with a username and password.

V.1

The user will be given access to some specific modules by the administrator from an available module list which will be generated by the system. The module list and user login details will be kept inside the database. Valid users of the system will log in using a valid username and password. In our case, the administrator and employees will use their respective employee-id as their user-id. This will help the system to identify the user and display only the relevant information. The probable solution is to create the report and to sort the report according to the due date by which 3 Guys can keep the track record of the due payment

V.2 SYSTEM REQUIREMENTS SPECIFICATIONS

Identifying functional requirements:

Generally deal with the characteristics of the system that can be expressed as functions.

INPUTS OF THE SYSTEM The inputs of the system are through a user friendly interface. Then user gives account details, loan details, fixed deposit details, fund transfer details, transaction details as input.

PROCESS IN THE SYSTEM Although there are several processes to the system, but the most necessary one is the process of database connectivity i.e. the process that transfers the users data entered in the form to the database. It transfers all the entered fields to the appropriate fields in the tables at the database end.

OUTPUTS OF THE SYSTEM There are different outputs from every inputs of the system.

Identifying non-functional requirements:

Generally deal with the characteristics of the system that can be expressed as functions.

MAINTAINABILITY OF THE SYSTEM The system is very easy to maintain as the main jewel lies in its implementation in the entire logic provided, thereafter the business logic is separated from the implementation details.

PORTABILITY OF THE SYSTEM The system is portable to the extent that it can be accessed from anywhere if the system supports ASP.NET.

HUMAN COMPUTER INTERFACE The system is designed as simple as possible for user & administrator convenience as the system is made for the common masses. It clearly indicates what the user & administrator must do step by step. All the ambiguities of the system are flagged as error messages and the user & administrator are made to follow the right path.

ACCURACY OF RESULTS It has been taken into account; the results produced are as accurate as possible. The accuracy is of prime concern as it is concerned with the trust of the users of the system.

CHOICE OF DATABASE It has been seen that the choice of the database varies from client to client. Thereafter the choice of the database is a very crucial issue. The database which is used is a general database which provides solution for all the anomalies concerned with a particular database.

V.3 SYSTEM ANALYSIS

Existing System:
This is a Global export and import application which can be hosted on any server. It can be run in any organizations intranet also. Different Exporter and importers will use this application. They will register themselves; keep data about their products those they will export/import, keep details of clients, details of shipment etc.With the help of this site export/import can exchange information between them. There will be different modules for the application of importer, exporter and agents that will help them to carry out the business.

Draw backs in existing system:

Need of extra manual effort for gathering foreign trade policies, customs rules and regulations of different countries that information is to be provided to importer, exporter and agents. It used to take much time to find and validate the amount, quality and quantity of goods been exported or imported as per said terms and conditions. Rate or charged taken for the service provided to the importer, exporter and agents is also a factor as there is a huge market competitions around the world and so constant information on such fields had to be kept. Legal issues of different countries are to be kept updated and shown to the clients in case of disputes. Here only mean of money exchanged is dollar and rupees. No other currency rate is used. Excise rules and duties are not considered here. Not all countries are capable of using the service of the web sites.

Proposed System:
Decision in assigning proper information for the project is an important issue in export/import different Modules. The Administrator should report the developer the necessary information which is to be given to the web sites. Personal care should be taken to see whether such information is posted in web sites or not. For that developer with necessary skills should be chosen for development. The decision in analyzing about the employees skills is given importance before signing in for the projects. Needs of skilful Human Resource should be of prime importance.

Generation of various reports is very important with regards to query of customers. Different search methodology should be there to ease clients query. E Mail option should be there to help clients to contact with the developer or administrator. Data backup utility should be there in case there is crash down of the system.

Advantage of proposed systems:

Very fast and efficient transactions as all required information are stored at one server. No need of any extra human indulgence. No fear of data loss. Just need a little knowledge to operate the system. At last very easy to operate the system. High Security as data are kept on some secured servers. Appropriate and up to date information is given to clients.

Implementation guidelines:
Guidelines that drive the implementation and analysis include:

Any difficulty in design, coding and testing a modification should signal the need for redesign or re-coding. Modifications should fit easily into isolated and easy-to-find modules. If they do not, some redesign is needed. Modifications to tables should be especially easy to make. If any table modification is not quickly and easily done, redesign is indicated. Modifications should become easier to make as the iterations progress. If they are not, there is a basic problem such as a design flaw or a proliferation of patches. Patches should normally be allowed to exist for only one or two iterations. Patches may be necessary to avoid redesigning during an implementation phase. The existing implementation should be analyzed frequently to determine how well it measures up to project goals. Program analysis facilities should be used whenever available to aid in the analysis of partial implementations. User reaction should be solicited and analyzed for indications of deficiencies in the current implementation.

The Iterative life cycle process as used in the project can be described as follows:

1. Initial planning:

First the basic requirements of the project need to be found out that were between whom the transaction is to happen. The solution came out were:

Exporter-One who sends goods to other countries. Importer-One who receives goods to his own country. Agent-One who is in between exporter and importer.

2. Requirements planning:

Non-Functional requirements: Maintainability of the system-The system is easy to maintain as business logic once compiled into the program need not require to be changed. Portability of the system-It can be accessed from any where there is ASP.NET. GUI- The system is designed as simple as possible for user & administrator convenience as the system is made for the common masses. Accuracy of results- It has been taken into account; the results produced are as accurate as possible.

V.2

System Planning

Once a project is found to be feasible, project planning is undertaken and completed even before any development activity starts. Mainly project planning involves the estimation of some basic attributes of the project

Cost:

How much will it cost to develop the project?

Duration: How long will it take to complete the development process? Effort: How much effort would be required to develop the proposed system?

Project planning requires utmost care and attention since commitment to unrealistic time and resource estimates results in scheduled slippage. Schedule delays can cause customers dissatisfaction adversely affects team morale. It can even cause project failure. However project planning is a very challenging activity. Developing a system requires planning and coordinating resources within a given time. More important, effective project management is needed to organize the available resources, schedule the events, establish standards and meet conversion deadlines. Project planning involves plotting project activities against a time frame. One of the first steps in planning is development of the road map structure or a network based on analysis of the tasks that must be performed to complete the project. In developing this system we have mainly used one basic planning tool that is PERT chart. Our project plan has the following format: Life Cycle Model Used PERT Chart Representation V.3 Life Cycle Model Used

A life-cycle model forms a common understanding of the activities among the software engineers and helps develop in a systematic and disciplined manner. We have followed the Iterative Waterfall model. The model is depicted below:

Figure-2- Iterative Waterfall Model V.4 Iterative Waterfall Model Iterative model is at the heart of a cyclic software development process developed in response to the weaknesses of the waterfall model. It starts with an initial planning and ends with deployment with the cyclic interactions in between.

Iterative development is essential parts of the Rational Unified Process, Extreme Programming and generally the various agile software development frameworks. The basic idea is to develop a system through repeated cycles (iterative) and in smaller portions at a time (incremental), allowing software developers to take advantage of what was learned during development of earlier parts or versions of the system. Learning comes from both the development and use of the system, where possible key steps in the process start with a simple implementation of a subset of the software requirements and iteratively enhance the evolving versions until the full system is implemented. At each iteration, design modifications are made and new functional capabilities are added. V.5 GANTT Chart Representation

We have to use some planning charts like Gantt chart (Bar chart) and PERT Chart. Gantt charts are mainly used to allocate resources to activities. The resources allocated to activities include staff, hardware, and software.

Figure-3- GANTT Chart Representation

V.6

PERT Chart Representation

PERT chart (program evaluation review technique) represents activities and the task dependencies. Gantt chart representation of a project schedule is helpful in planning the utilization of resources, while PERT chart is useful for monitoring the timely progress of activities. Also, it is easier to identify parallel activities in a project using a PERT chart.

Tasks A. Requirement B. Design C. Coding D. Verification

Time Needed 08 Days 13 Days 15 Days 03 Days

Figure-4- PERT Chart Representation

(VI) SCOPE OF THE SOLUTION The system can maintain all the details of the employees and the company from which they are being outsourced and the relevant fields. The system can calculate their salaries which are paid monthly. The system can generate a report which would show all the details of payments due for each company and for each employee. This report should be filtered according to date i.e. it is a date wise report.

(VII) ANALYSIS(DFDs ,ER DIAGRAMS) Design The design phase of software development includes creating Data Flow Diagrams and Entity Relationship Diagrams for the project. VII.0 Data Flow Diagram

A Data Flow Diagram (D.F.D) is a graphical technique that depicts information flow and transformations that are applied as data moves from input to output. The D.F.D is also known as a data flow graph. The D.F.D may be used to represent a system or software at any level of abstraction. Therefore, the D.F.D provides a mechanism for functional modeling as well as information flow modeling.

0 level D.F.D, also called a context model, represents the entire software as a single bubble with input and output data indicated by incoming and outgoing arrows, respectively. Additional process and information flow paths are represented as the 0 level D.F.D is partitioned into 1st and 2nd levels and so on to reveal more detail. VII.0.1 Context Level D.F.D (0 Level)

Fig-5- Context Level D.F.D

VII.0.2 First Level D.F.D

Fig-6- 1st Level D.F.D

VII.0.3 Second Level D.F.D for Login Process

VII.0.4 Second Level D.F.D for Entry Process

VII.0.5 Second Level D.F.D for Show Details Process

VII.0.6 Second Level D.F.D for Report Process

VII.1.1 Entity Relationship Diagram Entity Relationship Analysis uses 3 major steps to describe data. These are: Entities, which are distinct thing in the enterprise. Relationships, which are meaningful interaction between the objects. Attributes, which are the properties of the entities and relationships

Fig-7- E.R.D of Employee Outsourcing Management System

(VIII) COMPLETE STRUCTURE

VIII.0 Number of Modules & their description: 1. Login module(includes Change password & Recovery Password sub module) It validates the user-name & password for providing access to the system
2. Edit Company Details:

It provides interface to edit the company information 3. Entry Employee Details(Taskbase & Timesbase Employees) It provides interface to enter the taskbase & timebase employees details 4. Update Employee Details It provides and interface to modify the Employee details 5. Delete Employee Details It provides an interface to delete the employees details from the database 6. Entry Customer Details It provides an interface to enter the customer information 7. Modify Customer Details It provides an interface to modify the Customer details 8. Delete Customer Details It provides an interface to delete the customer information 9. Account Receivable It provides an interface for the payment processing 10. Create Customer Billing Statement It provides an interface for creating Customer Billing Statement 11. Report Generation It provides an interface for creating Report

VIII.1 Table Structure Company details

Employee details

Payment details

Taskbase details

Timebase details

Process Logic Of Each Module Login Module:This Module takes care of user authentication. It checks the user is valid or not. User provides a valid login credential to enter the web interface.

Edit Company Details: User Update screen Update field Update Successful,Error Data Stored in the Database Confirmation Server Database

Entry Employee Details:

User

Server

Database

Employee Registration screen Update field Update Successful/Error Data Stored in the Database Confirmation

Delete Employee Details:

User Employee Record Delete Record Delete Successful/Error

Server

Database

Delete Record Stored in the Database Confirmation

Entry Customer Details:User Server Database

Customer Registration screen Update field Update Successful/Error Data Stored in the Database Confirmation

Modify Customer Details:User Customer Record screen Update field Update Successful/Error Data Stored in the Database Confirmation Server Database

Delete Customer Details:-

User

Server Customer Record Delete Record Delete Successful/Error Delete Record Stored in the Database Confirmation

Database

Account Receivable:User Database A/R Voucher screen Update field Update Successful/Error Data Stored in the Database Confirmation Server

VIII IMPLEMENTATION METHODOLOGY The implementation phase of a new project is crucial to ensure the right foundation is laid out for delivering our services. F-Zones project implementation methodology is the framework together with the project characteristics and specific requirements, the implementation plan is constructed. Since this is a web based project, thus deploying such a project is different from traditional standalone systems. In this to implement two things are require. One is the web server which will host the web pages and the second is the domain name. 33 A Social Networking Based File Sharing System The web server registration is required to put the web pages in a machine which can be accesses by any user over internet. For a web server is needed. A server is a computer which is listening to the requests of the clients and response back by sending response data. A web server provides service for web pages. So the first job is to register in a web server for hosting the web pages. The domain name is the name of the web site. This is the name using which the various online users are accessing the website. But this does not denotes the actual name of the location of the website. This is simple name provided to a website because the actual physical address is far more complicated for the online users to remember. (IX) NETWORK ARCHITECHTURE Architecture for an Enterprise Web Application A modern web-based enterprise application has four layers, as shown in: a client layer which renders WebPages A Presentation Layer which generates WebPages, including their dynamic content. It interprets WebPages submitted from the client. A Business Logic Layer which enforces validations and which handles interaction with the database A Data layer which stores data between transactions

Figure-1

DATABASE SERVER

REQ RES

WEB SERVER

REQ RES

WEB CLIENT

(x)IMPLEMENTATION OF SECURITY MECHANISMS AT VARIOUS LEVELS:

The popularity of web servers as a prime target for crackers and worm writers around the globe made IIS a natural place for Microsoft to focus its Trustworthy Computing Initiative. As a result, IIS has been completely redesigned to be secure by default and secure by design. This article discusses the major default configuration and design changes incorporated in IIS 6.0 to make it a more secure platform for hosting critical web applications. Secure by Default In the past, vendors including Microsoft packaged the default installations of their web servers with an array of sample scripts, file handlers and minimal file-system permissions to provide administrators the necessary flexibility and ease of use. However, this approach tended to increase the available attack surface and was the basis of several attacks against IIS. As a result, IIS 6.0 is designed to be more secure out-of-the-box than its precursors. The most noticeable change is that IIS 6.0 is not installed by default with Windows Server 2003. Other changes include:

Default installation is only a static HTTP server The default installation of IIS 6.0 is configured to serve static HTML pages only; dynamic content is not permitted. The following table compares the default features of IIS 5.0 and IIS 6.0. IIS Component IIS 5.0 default install IIS 6.0 default install

Static file support

Enabled

Enabled

ASP

Enabled

Disabled

Server-side includes

Enabled

Disabled

Internet Data Connector

Enabled

Disabled

WebDAV

Enabled

Disabled

Index Server ISAPI

Enabled

Disabled

Internet Printing ISAPI

Enabled

Disabled

CGI

Enabled

Disabled

Microsoft FrontPage server extensions

Enabled

Disabled

Password change interface

Enabled

Disabled

SMTP

Enabled

Disabled

FTP

Enabled

Disabled

ASP.NET

N/A

Disabled

Background Intelligence Transfer Service

N/A

Disabled

No sample applications installed IIS 6.0 does not include any sample scripts and applications like showcode.asp and codebrws.asp. These programs were originally designed to let programmers quickly look at their database connection code in order to debug it. However, Showcode.asp and codebrws.asp do not correctly check the input to ensure that the file being requested is within the web root directory. This allows the attacker to read any file (including those containing sensitive information and insightful configuration settings) on the system by traversing back to it. Refer to the following link for more information regarding these vulnerabilities:

Improved file-system access controls Anonymous users no longer have write access to the home directory of the Web server. In addition, FTP users are isolated in their own home directories. These limitations prevent a user from uploading malicious files to other parts of the server's file system. Such attacks may include web site defacement by uploading files to the web document root and remote command execution via the execution of malicious executables that may be uploaded to the /scripts directory.

No Executable Virtual Directories No virtual directories have executable permissions on them. This prevents exploitation of the numerous directory traversal, code upload and MDAC exploits that have existed in the past.

Sub-authentication module removed The IISSUBA.dll has been removed from IIS 6.0. Any accounts that required this functionality in previous versions of IIS required the "access this computer from the network" privilege. Removal of this DLL removes this dependency and thus reduces the attack surface by forcing all authentications directly to the SAM or Active Directory.

Parent Paths are disabled Access to parent paths in the file system is disabled by default. This is to prevent directory traversal attacks that may allow an attacker to break out of the web document root and gain access to sensitive files on the file system, such as the SAM file. Note that this can however cause problems for migrated applications that used parent paths on previous versions of IIS.

Secure by Design The fundamental design changes incorporated in IIS 6.0 include improved data validation, enhanced logging, rapid-fail protection, application isolation and adherence to the principle of least privilege. Improved data validation A principal new feature incorporated in the design of IIS 6.0 is the kernel-mode HTTP driver, HTTP.sys. It is not only tuned to enhance the web server's performance and scalability characteristics, but also to significantly strengthen the security posture of the server. HTTP.sys acts as the gateway for user requests to the web server. It first parses the request and then dispatches it to the appropriate user-level worker processes. The restriction of the worker processes to the user-mode prevents them from accessing privileged resources in the system kernel. Thus the target space of an attacker intending to gain privileged access to the server is greatly limited. The kernel-mode driver incorporates several security mechanisms to augment the inherent secure design of IIS 6.0. These features include protection against potential buffer overflows, improved logging mechanisms to aid the process of incident response and advanced URL parsing to check for the validity of user requests. In order to impede the exploitation of a potential buffer or memory overflow vulnerability that may arise at a later point in time, Microsoft has resorted to the defense-in-depth principle of security in the design of IIS 6.0. This has been accomplished by adding specific URL parsing capabilities to the repertoire of features incorporated in HTTP.sys. These capabilities can be further fine-tuned by appropriately modifying specific registry values. The following table

provides a brief overview of vital registry keys (found at the following path: HKLM\System\CurrentControlSet\Services\HTTP\Parameters): This key accepts a Boolean value, which if non-zero allows HTTP.sys to accept hex-encoded characters in the request URL. The default value for this key is 0. This is also the recommended value as it facilitates the task of input validation at the server-level. If set to 1, potentially malicious characters may be hex-encoded by the attacker in an attempt to bypass input validation routines.

AllowRestrictedChars

MaxFieldLength

This key allows the administrator to set an upper limit (in bytes) for each header. Its default value is 16KB.

MaxRequestBytes

This key establishes the upper limit on the total size of the request line and the headers. Its default value is also 16KB.

UrlSegmentMaxCount

This key determines the maximum number of URL path segments accepted by the server. It effectively limits the number of slashes that can be included by the user in a request URL.It is recommended that one set fairly stringent limits on this value based on the depth of the web document root tree to protect the server from a file system traversal attack. The default value for this key is 255.

This key sets an upper bound on the maximum number of characters in any URL path segment. This value can also be customized in accordance with the normal operation of the hosted applications to UrlSegmentMaxLength prevent the acceptance of unusually long segments that may cause the application to behave in an anomalistic manner. The default value for this key is 260.

EnableNonUTF8

The value of this key controls the character set that is permitted by HTTP.sys. The default value of 1 permits HTTP.sys to accept ANSIand DBCS-encoded URLs in addition to those encoded in the UTF8 format.

Enhanced logging mechanisms Comprehensive logging is a fundamental requirement for the successful detection of, and response to, a security incident. Microsoft has recognized this need and implemented an extensive and reliable logging mechanism in HTTP.sys. HTTP.sys writes to the log file before dispatching the request to the specific worker process. This ensures that an error condition is logged even if it causes the worker process to terminate. An entry in the log file consists of the date and time stamp of the occurrence of the error condition, the source and destination IP addresses and ports, the protocol version, HTTP verb, the URL, protocol status, the site ID and the HTTP.sys reason phrase. The reason phrase provides detailed information about why the error occurred - whether it can be attributed to a timeout condition or a connection being abandoned by the application pool due to the unexpected termination of the worker process. Rapid-Fail Protection In addition to tweaking the registry, an IIS 6.0 administrator can also configure the server to automatically shutdown or restart orker processes whose applications have failed repeatedly (a set number of times) within a specific period of time. This is an additional safeguard to protect the application against repeated failures, which may be an indication of attack. This feature is called Rapid-Fail Protection. Rapid-Fail protection can be configured through IIS manager as follows: 1. In IIS Manager, expand local computer. 2. Expand Application Pools 3. Right click on application pool 4. Click on Properties 5. On the Health tab, check the Enable rapid-fail protection box 6. In the Failures box, type the number of worker process failures to be tolerated (before shutting down the process). 7. In the Time Period box, specify the number of minutes for which worker process failures are allowed to accumulate. Application isolation In previous versions of IIS (version 5.0 and earlier), the performance penalty for segregating web applications into independent units made it infeasible to do so. Thus, more often that not the failure or compromise of one web application had a cascading effect to the other applications resident on the same web server. However, performance enhancements coupled with design changes to the request processing architecture of IIS 6.0 have made it viable to isolate applications into self-contained units called application pools (without affecting performance). Each application pool is served by one or more independent worker processes. This allows for the localization of failure, preventing the malfunction of one worker process from affecting the others. This boosts the reliability of the server and in turn that of the applications hosted by it.Adherence to principle of least privilege IIS 6.0 adheres to a fundamental tenet of security - the principle of least privilege. This is achieved by including all the code that needs to run with Local System (high-level) privileges in HTTP.sys. All the worker processes execute as Network Service, a new type of account built-in to Windows 2003 with extremely limited operating system rights. Further, IIS 6.0 only

allows system administrators to execute command-line tools, thus preventing malicious exploits from using these tools. These design changes reduce the exposure due the compromise of the server via a potential vulnerability. Apart from these fundamental design changes, some simple configuration modifications include denying anonymous users write access to the home directory of the web server and isolating FTP users into

(Xi) FUTURE SCOPE AND FURTHER ENHANCEMENT OF THE PROJECT: The Future Scope of the 3 Guys are as follows: In the Forget Password section, the password can be emailed to the user email address. 128 bit security encryption will be used for administrator password & database security

New Modules can be added in to shoulder more responsibilities of the company.

(XII) BIBILOGRAPHY PROFESSIONAL ASP.NET 3.5 BILL EVJEN, SCOTT HANSELMAN, DEVIN RADER

BEGGINER ASP.NET 3.5 BEGINNING ASP.NET 2.0 SQL SERVER 2005 BIBLE MICROSOFT SQL SERVER 2005 Many websites (like as www.technet.microsoft.com) were being consulted for reference.