SQL SERVER 2012 Best Practice regarding Web apps connecting to SQL Server

  • With regards to security, what is the best practice regarding Web Applications connecting to SQL Server 2012 Databases.

    Thanks in advance!

  • It's SQL Server. Every security setting you would use to ensure proper protection of the system is the same when dealing with web pages as when dealing with traditional client server situations. For details on securing your servers, I recommend Denny Cherry's book on security.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • Thanks. That's Kinda what I thought. Unfortunately, most of the places I've worked embedded the login and password within the application connection config file, which, I knew is very bad. Integration Security/Window's Authentication Groups is really the way to go.

  • Yes. Absolutely. An application login using AD is correct. Further, that login should not be 'sa' on the server. It also shouldn't even be 'dbo' on the database. However, all this is just scratching the surface. From a security stand point you also have to worry about firewalls, SQL injection and all sorts of other stuff. That's why I recommend the book rather than try  to replicate it in a forum post.

    "The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
    - Theodore Roosevelt

    Author of:
    SQL Server Execution Plans
    SQL Server Query Performance Tuning

  • You can encrypt connection strings in your config files to help security some.  If you're using SQL Server or Windows authentication, you do want all connections from the application server to the database server to be using the same login though, so that you can enable connection pooling:
    https://msdn.microsoft.com/en-us/library/8xx3tyca(v=vs.110).aspx
    You can change what login IIS would use with the database for Windows authentication in the Application Pool, Identity property:
    https://www.syncfusion.com/kb/6897/how-to-add-permission-for-iis-application-pool-to-access-sql-server-database

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply