ASP to SQL

  • If have a ASP that connects to my SQL database.  What is at risk.  If the ASP passes the SQL account and password is it encrypted or does it send it clear text.  Is it sufficient to lock down the ASP page so no one can view the SQL account & password.  Looking for any words of wisdom on this subject or point me to some reading I can do on this.  Thanks

  • If you use SQL Server logins and connect to SQL Server without IPSec or SSL, then the password doesn't go across in plaintext, but it might as well. It's trivial to break. Windows authentication, on the other hand, doesn't send the password across.

    You didn't indicate if your web server is facing the Internet or an intranet server. There is a substancial difference in risk as well as configuration. So it's hard to give you the "best" answer to your question without knowing for what purpose the web server will be used. I will say this, do not assume your ASP pages will be 100% safe. If you hard code a username/password in those pages, expect them to be found. This isn't to say it will happen. However, from a security perspective you always consider the worst. One of the things folks like to do with web servers is figure out ways to get them to reveal source code. SQLServerCentral.com isn't the forum for that, but you get the idea. So generally you want to use windows authentication (also known as integrated security) if possible. Here are some starting points:

    INFO: Accessing SQL Server with Integrated Security from ASP

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q176377

    HOWTO: IIS and SQL Server on Separate Machines with Trusted Connection

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;176379

    ASP.NET Security Presentation (Good Points Applicable to Basic ASP):

    http://cpd.ogi.edu/seminars04/hickmanseminar.pdf

    SQL Server Security Presentation (from Microsoft):

    http://research.microsoft.com/~jamesrh/TalksAndPapers/SQL_SecurityWebcast.ppt

    Hope these help.

     

    K. Brian Kelley
    @kbriankelley

  • You posted this question THREE TIMES! You will get better response if you're more careful to post a question only once. You got an answer from my on one thread, one from someone else on the second thread and a third answer here. If we had all seen each other's answers then some of what you got might have been different. The point is the collaborative nature of the forums. You can't collaborate if the question is asked three different times and people use three different threads to respond.

     

     

  • Sorry for the multiple posts It seemed like some forums get a lot more traffic then others and I wasn't sure where to best post the question.    Now I know, thanks for the feedback.

  • Hey Gary,

    Generally most users hit Active Topics and see the list of all new topics. Therefore in the future you only need to post once. Someone will get to it!

     

    K. Brian Kelley
    @kbriankelley

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply