Stanton_Roux
asked on
Secure Connection string + Global.asa
Hi There
I have a connection string in my Global.asa file that looks something like this.
Session("connstring") = "driver={SQL Server};server=.;database= myDB;uid=s a;pwd=pass word"
I want to write the connection string so that the username and password is not in the string.
Also I dont want the web app to run using my SA acount.
Whats the minimum rights a sql account must have in order to run a web app.
I have a connection string in my Global.asa file that looks something like this.
Session("connstring") = "driver={SQL Server};server=.;database=
I want to write the connection string so that the username and password is not in the string.
Also I dont want the web app to run using my SA acount.
Whats the minimum rights a sql account must have in order to run a web app.
The username/password must be in the string. You can make it a variable, but then still it needs to be in it. You could create an ODBC-connection on the server, and refer to the name of the ODBC-connection - that's the only way I know to have username/password elsewhere.
Also I would like to recommend to use OLEDB:
PROVIDER=SQLOLEDB;DATA SOURCE=localhost;USER ID=sa;PASSWORD=;DATABASE=m yDB;
For the permissions of the account: carl_tawn already answered that question
Also I would like to recommend to use OLEDB:
PROVIDER=SQLOLEDB;DATA SOURCE=localhost;USER ID=sa;PASSWORD=;DATABASE=m
For the permissions of the account: carl_tawn already answered that question
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> The first step is to give the IUSR_<machine name> account login
> permissions to the SQL Server then allow it access to the database(s).
... this assumes that your web app uses anonymous authentication.
> permissions to the SQL Server then allow it access to the database(s).
... this assumes that your web app uses anonymous authentication.
you could also do it setting up the machines DSN
ASKER
Is it not a security risk giving the iuser account acces to the DB
> Is it not a security risk giving the iuser account acces to the DB
You could argue that exposing your database to anybody anyhow is a security risk. But your database isn't much use if no one can access it.
SQL Server provides a very fine grained security model so you can easily limit access to the specific database(s) and database objects that each user is allowed to access.
I would say that, so long as you provide access only to the required databases, using Windows Integrated authentication via the IUSR account is much less of a security issue risk because this way you never send passwords over the wire.
You could argue that exposing your database to anybody anyhow is a security risk. But your database isn't much use if no one can access it.
SQL Server provides a very fine grained security model so you can easily limit access to the specific database(s) and database objects that each user is allowed to access.
I would say that, so long as you provide access only to the required databases, using Windows Integrated authentication via the IUSR account is much less of a security issue risk because this way you never send passwords over the wire.
The account basically just needs to be a standard users account with the read/write permissions to the appropriate tables and execute on any stored procs.