May 27, 2009 at 10:32 pm
Hi
I have an asp.net website (that is publicly available) on a server with connectivity to MS SQL 2005 as the database.
I have a few concerns regarding the security issues:
1) Is it OK if I were to host both the web site and the database server on the same IP? If not, then how these should be configured to ensure maximum security?
2) In case it is not feasible to arrange for a separate server for the database, are there any techniques that can be adopted to ensure data security against potential threats like hacking?
3) How safe is encrypting the connection string being used in my code?
4) I have created a new user/password for the database that I have to access. Does assigning specific permissions to this user also help in database security?
I have implemented code to handle against SQL Injection.
Are there any specific tools (freely available) that can be used to avoid a situation of the database hack?
Please help this newbie.
June 1, 2009 at 2:15 am
ajain (5/27/2009)
Hi1) Is it OK if I were to host both the web site and the database server on the same IP? If not, then how these should be configured to ensure maximum security?
2) In case it is not feasible to arrange for a separate server for the database, are there any techniques that can be adopted to ensure data security against potential threats like hacking?
3) How safe is encrypting the connection string being used in my code?
4) I have created a new user/password for the database that I have to access. Does assigning specific permissions to this user also help in database security?
1. It depends. It's not going to be less secure to have the DB on a different machine, at any rate. If you have a suitable recovery plan, and suitable security in place, then hosting on the same IP is fine.
2. Make regular, off-site backups. Don't trust any data input from the website. Implement basic monitoring to prevent password attacks (e.g. more than x number of attempts in y period of time).
3. Safe enough. You should connect from your website with a user that only has EXECUTE rights on stored procedures, and nothing else.
4. See 3 above.
June 1, 2009 at 2:53 am
HI,
Thanks for the inputs.
Just a few more queries.
We have implemented code to handle SQL Injection.
We use only parameterized stored procedures for all operations of the database.
Also, the places where we have had to implement Dynamic SQL, we are executing the query through sp_executesql.
Despite all these measures, is it possible that somebody can gain access to my database and run a malicious script?
June 1, 2009 at 3:08 am
There are attack vectors other than through your ASP.NET application. Locking that down, as you have done (I'm not an expert in ASP.NET security, mind you), is one step.
If you're worried about the database security, make sure you lock that down, too. There are many ways to do this, so I recommend that you get your reading glasses on. Check out http://www.sqlsecurity.com, and hit BOL and Google for best practice. Make sure you secure your backups too.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply