aspnet user and interated security (SQL Server)

  • Thread starter Thread starter Phil Townsend
  • Start date Start date
P

Phil Townsend

I have been attempting to persuade our systems admin staff to allow us
to use integrated security by adding the aspnet user to SQL Server.
Currently we are forced to use a connection string that passes user
names/passwords on the conncetion string itself. i know that using
integrated security is a more secure way of doing this. However, our
systems admin is saying that this is not poosible on our current
configuration of Win2000 and IIS 5.0 as the aspnet user is not a domain
level account. They are also concerned that if the aspnet user is
granted access to one application, then that application would have
access to other .net web apps on the same db server. Is this a valid
response?

Also, could security on this server be better addressed by setting up
each application to run under seperate instances of sql server running
on one machine? I have read some about this but have never seen it in
place.

Thanks...
 
Users of a database are granted access at the database level, not the server
level. Therefore, if the security is setup correctly, a user can only
access databases that they have rights to.
 
Phil Townsend said:
I have been attempting to persuade our systems admin staff to allow us
to use integrated security by adding the aspnet user to SQL Server.
Currently we are forced to use a connection string that passes user
names/passwords on the conncetion string itself. i know that using
integrated security is a more secure way of doing this. However, our
systems admin is saying that this is not poosible on our current
configuration of Win2000 and IIS 5.0 as the aspnet user is not a domain
level account.
Click to expand...

In your web.config files for your apps, add <identity impersonate="true" />
and the current logged in identity (if you're using windows authentication
and not forms authentication) will be passed to IIS. IIS cannot pass that
on to SQL Server on another machine but if IIS and SQL Server are on the
same machine, you can use integrated security.

They are also concerned that if the aspnet user is
granted access to one application, then that application would have
access to other .net web apps on the same db server. Is this a valid
response?
Click to expand...

They are correct. I have to respectfully disagree with Peter Rilling's
response in your case. Technically, he is correct. The problem is, in your
case what you're proposing is using a domain account for ASP.Net and using
that account to access the SQL Server. That means that any developer that
can write SQL Server access code using that account suddenly has access to
all data on the server that the ASP.Net account has access to.

The alternative is that any domain admin who has access to the connection
string has access to all the data. You can encrypt the connection string
for storing in the registry though and limit the exposure.

It is a tough problem; one that Microsoft needs to put some serious work
into resolving.

Also, could security on this server be better addressed by setting up
each application to run under seperate instances of sql server running
on one machine? I have read some about this but have never seen it in
place.
Click to expand...

The memory and processor requirements for using separate instances would be
enormous. I wouldn't recommend it.

Thanks...
Click to expand...


HTH

Dale Preston
MCAD, MCDBA, MCSE
 
Back
Top