Secure Connection string + Global.asa

Posted on 2006-03-31
Last Modified: 2008-03-06
Hi There

I have a connection string in my Global.asa file that looks something like this.

Session("connstring") = "driver={SQL Server};server=.;database=myDB;uid=sa;pwd=password"

I want to write the connection string so that the username and password is not in the string.
Also I dont want the web app to run using my SA acount.

Whats the minimum rights a sql account must have in order to run a web app.
Question by:Stanton_Roux
    LVL 52

    Expert Comment

    by:Carl Tawn
    It depends.

    The account basically just needs to be a standard users account with the read/write permissions to the appropriate tables and execute on any stored procs.
    LVL 28

    Expert Comment

    The username/password must be in the string. You can make it a variable, but then still it needs to be in it. You could create an ODBC-connection on the server, and refer to the name of the ODBC-connection - that's the only way I know to have username/password elsewhere.

    Also I would like to recommend to use OLEDB:


    For the permissions of the account: carl_tawn already answered that question
    LVL 15

    Accepted Solution

    Another way is not to SQL authentication at all - use Windows authentication to the SQL Server instead.

    The first step is to give the IUSR_<machine name> account login permissions to the SQL Server then allow it access to the database(s).

    After that you need to change your connection string to:

    Provider=SQLOLEDB.1;Integrated Security=SSPI;Persist Security Info=False;Initial Catalog=<db name>;Data Source=<name or IP of SQL Server>

    This way the user authentication to the SQL Server is done using Windows credentials and you never have to send a username and password with the connection string.
    LVL 15

    Expert Comment

    > The first step is to give the IUSR_<machine name> account login
    > permissions to the SQL Server then allow it access to the database(s).

    ... this assumes that your web app uses anonymous authentication.
    LVL 25

    Expert Comment

    you could also do it setting up the machines DSN

    Author Comment

    Is it not a security risk giving the iuser account acces to the DB
    LVL 15

    Expert Comment

    > Is it not a security risk giving the iuser account acces to the DB

    You could argue that exposing your database to anybody anyhow is a security risk. But your database isn't much use if no one can access it.

    SQL Server provides a very fine grained security model so you can easily limit access to the specific database(s) and database objects that each user is allowed to access.

    I would say that, so long as you provide access only to the required databases, using Windows Integrated authentication via the IUSR account is much less of a security issue risk because this way you never send passwords over the wire.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    I would like to start this tip/trick by saying Thank You, to all who said that this could not be done, as it forced me to make sure that it could be accomplished. :) To start, I want to make sure everyone understands the importance of utilizing p…
    Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now