April 27, 2017 at 7:40 am
With regards to security, what is the best practice regarding Web Applications connecting to SQL Server 2012 Databases.
Thanks in advance!
April 27, 2017 at 10:47 am
It's SQL Server. Every security setting you would use to ensure proper protection of the system is the same when dealing with web pages as when dealing with traditional client server situations. For details on securing your servers, I recommend Denny Cherry's book on security.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
April 27, 2017 at 11:41 am
Thanks. That's Kinda what I thought. Unfortunately, most of the places I've worked embedded the login and password within the application connection config file, which, I knew is very bad. Integration Security/Window's Authentication Groups is really the way to go.
April 27, 2017 at 12:21 pm
Yes. Absolutely. An application login using AD is correct. Further, that login should not be 'sa' on the server. It also shouldn't even be 'dbo' on the database. However, all this is just scratching the surface. From a security stand point you also have to worry about firewalls, SQL injection and all sorts of other stuff. That's why I recommend the book rather than try to replicate it in a forum post.
"The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood"
- Theodore Roosevelt
Author of:
SQL Server Execution Plans
SQL Server Query Performance Tuning
April 27, 2017 at 12:41 pm
You can encrypt connection strings in your config files to help security some. If you're using SQL Server or Windows authentication, you do want all connections from the application server to the database server to be using the same login though, so that you can enable connection pooling:
https://msdn.microsoft.com/en-us/library/8xx3tyca(v=vs.110).aspx
You can change what login IIS would use with the database for Windows authentication in the Application Pool, Identity property:
https://www.syncfusion.com/kb/6897/how-to-add-permission-for-iis-application-pool-to-access-sql-server-database
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply