skyjumperdude
asked on
Using AD authentication on web application to access database
Hi All,
We have a web application which never used user AD authentication. We will be implementing auditing software which requires users to use their AD authentication.
Our database developer is worried that if we start using AD authentication and if the user has any query analyzer tools then we would have a security vulnerability.
Is there anything or way we can have users access the database but not allow them to use query analyzer tools?
Any help would be greatly appreciated.
Thanks
We have a web application which never used user AD authentication. We will be implementing auditing software which requires users to use their AD authentication.
Our database developer is worried that if we start using AD authentication and if the user has any query analyzer tools then we would have a security vulnerability.
Is there anything or way we can have users access the database but not allow them to use query analyzer tools?
Any help would be greatly appreciated.
Thanks
ASKER
Our web app server is in DMZ and the database is on internal Lan. Majority of the users will be accessing from internal lan. Our dba developer is worried that the users might be able to access the db through any query analyzer or other tools to pull out sensitive data.
Ok, where ever you web server, your data should be accessed only through the web server right, but not through query analyzer for any user (not the dba's of course).
if that is the case, then as I said earlier, allow only the IP address of your webserver to connect to this SQL Server machine (windows machine).
As the all other users will have different IP's they will not be able to connect to the server at all in the first place.
Even a query analyzer internally will send a tcp/ip message with its IP, if the IP is not allowed by the server the query analyzer gives the message saying cannot connect.
if that is the case, then as I said earlier, allow only the IP address of your webserver to connect to this SQL Server machine (windows machine).
As the all other users will have different IP's they will not be able to connect to the server at all in the first place.
Even a query analyzer internally will send a tcp/ip message with its IP, if the IP is not allowed by the server the query analyzer gives the message saying cannot connect.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
MS is helping us to secure it from SQL server side as the traffic isn't going through our firewall.
Allow only the IP of your webserver only to pass through the SQL Server, and block all other IP's.
Now if a user wants to connect to the server from his machine, he will not be able to as the network will not be established in the first place, although he will be able to login.