We are pondering our security risks for an ASP.NET application that accesses a Sql Server 2005 database server. The web app is outside our firewall while Sql Server is inside. We are using ASP.NET forms authentication on the front end. A trusted service identity in the form of a Sql Server account credentials to access the database. The trusted service identity is recorded in encrypted connection strings along with the IP address of Sql Server. We have installed an SSL certificate on Sql Server to prevent packet sniffing.
From all that we have read including http://msdn.microsoft.com/en-us/library/aa302392.aspx
, our primary risk is someone hacking the password to the sa account. How difficult would that be given a fairly strong password? Are there other risks that we should take seriously?