August 18, 2004 at 11:40 am
Hi,
I am familiar with SQL Server but I am new to all of its administration stuff. I am developing an internet application using ASP.Net, Windows 2003 server and SQL Server. I have a question regarding users and authentication. For an internet application do I have to use SQL Server authenticaiton? In a documentation I read 'SQL Server Authentication may be required for connections with clients other than Windows clients.' But when users request for a dynamic webpage, it is my Windows 2003 server that connects to the SQL Server database. So I was thinking Windows authentication is enough. Am I right? If not, can you please explain.
Thanks
August 18, 2004 at 6:21 pm
Generally web sites use one account for all data access, can be a Win account or a sql login. Then you right separate code to authenticate/authorize the user to do various things. I tend to use sql logins, but I dont think its the recommended party line to do so - I just find it easier to work with.
August 18, 2004 at 10:01 pm
The web site, it'll be on the Internet? Generally, unless you're using something like ISA server, it's not a good idea to allow your web server to be a member of a domain. Therefore, you don't have the option of Windows authentication unless you create a local Windows account on the SQL Server that matches a local Windows account on the web server. Even with that said, most of us who are paranoid still require web servers accessible from the Internet to be in their own workgroup, ISA server or not. In most of these cases, SQL Server logins are the easiest to deal with.
Some (Tim Mullen, aka thor from HammerOfGod and the Windows security columnist at securityfocus.com) would say make the SQL Server in a workgroup and stick it in the DMZ as well... pushing data to it that the web site needs to access. This ensures that should the web site be compromised (a matter of when, not if, in current security thinking), you know the SQL Server will be compromised as well. If neither box is on the domain, an attacker can't use either to hop directly to another server with domain credentials. With proper ACLs on the firewall, routers, etc., it's even more unlikely this can occur.
K. Brian Kelley
@kbriankelley
August 19, 2004 at 3:58 pm
Thanks for your reply. It was very helpful.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply