January 15, 2004 at 5:49 am
I am fairly new to SQL Server, so there might be an easy answer to this....at least I hope there is. I am rebuilding our group's old DB. The old DB (and the new DB) are interfaced via the web using ASP. There is a login/password screen for teh web interface. That being said....
In the old DB, the DBA simply put the usernames and passwords into a table (yes, in plain text) and referenced that table. I would like to do something more secure, by hopefully using SQL Server's built-in security. I have already set up Logins under the security tab so that certain people can connect via other SQL Server clients.
What would be the best way to utilize this type of web login combined with SQL Server?
Thanks in advance!
-JD
January 15, 2004 at 7:53 pm
Most likely the ASP app uses a connection string with a SQL Login (username and password) specified in it. This is the login used by the APP to login it SQL Server and use the database. The user names and passwords table in this database are probably used by the app to assign application level rights. That being said....
With out altering the code in the ASP app the best security you can give at this point is A) granting the SQL Server login (no server roles), B) Setting the Default database for that login to the APP database C) Set the database roles to the lowest level acceptable (db_datareader and/or db_datawriter?). See database/server roles in BOL for more information.
If you have access to alter the application (and/or IIS) you have other choices with SQL Server security. You can also encrypt the passwords in the already established user/password table for the app.
bb
January 16, 2004 at 5:19 am
You mentioned "With out altering the code in the ASP app".
What are the options for if I am willing to change the ASP code?
-JD
January 16, 2004 at 6:35 am
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply