Secure Connection string + Global.asa

Posted on 2006-03-31
Medium Priority
Last Modified: 2008-03-06
Hi There

I have a connection string in my Global.asa file that looks something like this.

Session("connstring") = "driver={SQL Server};server=.;database=myDB;uid=sa;pwd=password"

I want to write the connection string so that the username and password is not in the string.
Also I dont want the web app to run using my SA acount.

Whats the minimum rights a sql account must have in order to run a web app.
Question by:Stanton_Roux
LVL 52

Expert Comment

by:Carl Tawn
ID: 16340903
It depends.

The account basically just needs to be a standard users account with the read/write permissions to the appropriate tables and execute on any stored procs.
LVL 28

Expert Comment

ID: 16340949
The username/password must be in the string. You can make it a variable, but then still it needs to be in it. You could create an ODBC-connection on the server, and refer to the name of the ODBC-connection - that's the only way I know to have username/password elsewhere.

Also I would like to recommend to use OLEDB:


For the permissions of the account: carl_tawn already answered that question
LVL 15

Accepted Solution

deighc earned 2000 total points
ID: 16342196
Another way is not to SQL authentication at all - use Windows authentication to the SQL Server instead.

The first step is to give the IUSR_<machine name> account login permissions to the SQL Server then allow it access to the database(s).

After that you need to change your connection string to:

Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=<db name>;Data Source=<name or IP of SQL Server>

This way the user authentication to the SQL Server is done using Windows credentials and you never have to send a username and password with the connection string.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

LVL 15

Expert Comment

ID: 16342201
> The first step is to give the IUSR_<machine name> account login
> permissions to the SQL Server then allow it access to the database(s).

... this assumes that your web app uses anonymous authentication.
LVL 25

Expert Comment

ID: 16344273
you could also do it setting up the machines DSN

Author Comment

ID: 16358100
Is it not a security risk giving the iuser account acces to the DB
LVL 15

Expert Comment

ID: 16368528
> Is it not a security risk giving the iuser account acces to the DB

You could argue that exposing your database to anybody anyhow is a security risk. But your database isn't much use if no one can access it.

SQL Server provides a very fine grained security model so you can easily limit access to the specific database(s) and database objects that each user is allowed to access.

I would say that, so long as you provide access only to the required databases, using Windows Integrated authentication via the IUSR account is much less of a security issue risk because this way you never send passwords over the wire.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
I was asked about the differences between classic ASP and ASP.NET, so let me put them down here, for reference: Let's make the introductions... Classic ASP was launched by Microsoft in 1998 and dynamically generate web pages upon user interact…
Integration Management Part 2
Is your OST file inaccessible, Need to transfer OST file from one computer to another? Want to convert OST file to PST? If the answer to any of the above question is yes, then look no further. With the help of Stellar OST to PST Converter, you can e…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question