December 5, 2002 at 10:01 am
Our setup here comprises of a SQL2000 server holding webcontent and several web servers pulling data from the SQL server.
Now I have managed to get a dsn connection to the SQL server only to get an error message specifying NT AUTHORITY\ANONYMOUS LOGON.
I have added this account to the SQL Server and only given it access to the specific database for the webcontent.
What I would like to know is this:-
What is the NT AUTHORITY\ANONYMOUS LOGON account
Does it pose any security risks (this is only a development situation at the moment) when the web application gets rolled out.
Can I leave this set up as is or is there any better/secure way of doing the same thing??
PS we don't have Active Directory and our Domain Controller is NT4
Edited by - capgpilk on 12/05/2002 10:02:41 AM
December 5, 2002 at 10:13 am
This is actually a group representing all processes running for "anonymous" network logons (e.g. ftp and www clients). These local accounts are created when IIS is installed and usually are given names like MACHINE\IUSR_MACHINE and MACHINE\VUSR_MACHINE. You can control these accounts via the IIS console.
December 5, 2002 at 11:02 am
Conventionally, we set up a SQL Server ID and use it for connection. The ID assigned has access only to the stored procs necessary for the application. It can't get to any views or tables. There's no real penalty for doing so.
December 5, 2002 at 11:55 am
I setup an account for anonymous in IIS and use that to connect. If you make the name and pwd the same on the web server and the sql server, it should work fine as a workgroup. If you can, make a basic (non admin) domain account and do the same thing.
Steve Jones
December 5, 2002 at 2:40 pm
Steve's second approach, with matching Windows users (passwords, too) on both web server and SQL Server is what I'd recommend. There are some weaknesses with SQL Server logins, susceptible to discovery using a network trace and of course, the weakened hash in sysxlogins.
Steve wrote an informative article reviewing NGSSQLCrack, a program that takes advantage of the weakened hash. It's a good read and a good utility.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
December 5, 2002 at 3:25 pm
I agree create you own account and don't use the default anonymous web account. The reason is a hacker will attempt to use that account to get at you SQL Server since many people make the same mistake. If they find it works and you have given it to much access they will be able to do things to the data. Also, this allows them now a way they can execute many public functions and lift a lot of details from yuor server you may not want them to have. This is like using the Guest windows account, you should find disable and make your own.
December 5, 2002 at 7:24 pm
The main reason I don't like the anonymous account is because it gives users behind the firewall access to the SQL Server unless you firewall it or put ACLs on the router/switch to prevent this.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
K. Brian Kelley
@kbriankelley
December 6, 2002 at 6:26 am
Thanks guys.
I have created accounts on the SQLServer, Web server and used that account as the Anonymous Access account in IIS. Everything works fine now. I can create sepperate accounts on each web server and give them appropriate access to the databases they need.
Thanks again for the swift response.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply