Wednesday, March 7, 2012

Best Method for Web Access to SQL

Hi,
I manage a public website for a bank. We just upgraded the website from a M
icrosoft Access database backend to a SQL Server database backend. I initia
lly installed SQL with Windows Authentication only. But then I ran into pro
blems when the website was
configured with Anonymous access because SQL Server was requiring a Windows
User ID and Password. I changed the security to use SQL Server authenticati
on, I created an account in SQL Server, and put the User ID and Password in
my connection string. Now
it works but I am concerned with the security. I don't know if the other SQ
L Server IDs are vulnerable to hacking, e.g. sa.
I was thinking it might be possible to use Windows Authentication only on th
e database and grant access to the IUSR_* account. But I didn't test this t
o see if it would work.
Which is the most secure method of securing SQL Server when the website is c
onfigured with Anonymous access? The current configuration described in the
first paragraph or something similar to what I described in the second para
graph? The website must be
configured with Anonymous access. That is one requirement I can not change.
KB articles would help me.
Thanks.
DaveAdd the IUSR_* account as a login on your SQL Server. Grant it access only
to the relevant databases and objects therein. If your SQL Server and IIS
server are on separate machines - as they should be - you'll need a domain
account for IUSR_*.
Tom
----
Thomas A. Moreau, BSc, PhD, MCSE, MCDBA
SQL Server MVP
Columnist, SQL Server Professional
Toronto, ON Canada
www.pinnaclepublishing.com/sql
.
"David" <david_eastes@.yahoo.com> wrote in message
news:CB7D44CE-A18F-41AA-BA9B-E60560743DE2@.microsoft.com...
Hi,
I manage a public website for a bank. We just upgraded the website from a
Microsoft Access database backend to a SQL Server database backend. I
initially installed SQL with Windows Authentication only. But then I ran
into problems when the website was configured with Anonymous access because
SQL Server was requiring a Windows User ID and Password. I changed the
security to use SQL Server authentication, I created an account in SQL
Server, and put the User ID and Password in my connection string. Now it
works but I am concerned with the security. I don't know if the other SQL
Server IDs are vulnerable to hacking, e.g. sa.
I was thinking it might be possible to use Windows Authentication only on
the database and grant access to the IUSR_* account. But I didn't test this
to see if it would work.
Which is the most secure method of securing SQL Server when the website is
configured with Anonymous access? The current configuration described in
the first paragraph or something similar to what I described in the second
paragraph? The website must be configured with Anonymous access. That is
one requirement I can not change. KB articles would help me.
Thanks.
Dave

No comments:

Post a Comment