June 2, 2010 at 6:25 am
I am working on moving some databases for our web applications from SQL 2000 to SQL 2008 R2. In doing so I am re-evaluating how security is setup for these apps. Currently they use SQL Logins and the username and password are listed in the connection string of the app so they can connect to SQL server. The apps will work with SQL Logins but it seems that Domain accounts would be more secure. Any suggestions/best practices that anyone can help me with?
Thanks!
March 16, 2011 at 1:19 pm
Well, we are having the same discussion at my job concerning sql logins vs windows authentication. We are currently using windows authentication but one of my developers brought up the idea that with windows authentication our "smart" users can access the database without going through the application. I had no counter arguement for this point. If we did use a sql login acct then users would have no access to the database. Does anyone have any comments???
March 17, 2011 at 6:52 am
We have the application log into SQL Server with SQL Server authentication. You set up a user for the application and give it the rights that a user would need. Then the users log into the application, but the application logs into SQL Server.
March 17, 2011 at 8:04 am
jlmoore03,
If you're using SQL 2K8, you can check what app your "smart" users are connecting with using a login trigger, and reject those bypassing the app.
http://msdn.microsoft.com/en-us/library/bb326598.aspx
We will be gleefully implementing this when we upgrade to 2K8 to keep our smart users at bay.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply