Monday, March 19, 2012

Best practice question

I have a aspx page that needs data from sqlexpress. When I installed sqlexpress, I installed it with "mixed-mode" security. When a user visit's my page, by default the username is IUSR_MyMachine. So, I added this user to the SQLServer2005MSSSQLUSers$MyMachine$SQLEXPRESS group. I have a connection string that looks like:

"Data Source=MyServer\sqlexpress;Initial Catalog=MyDB;Integrated Security=True;Pooling=True"

At this point I can go on my merry way and log in and do my thing. My question is this, is this the right way to do this? Should I be adding IUSR to the sql group? Should I set up a sql user instead? What's the best practice for connecting to a db from an aspx page?

Any insight would be great.
Thanks ... Ed

This is a repost. I never got a response the first time.

I'm pretty sure that you made a major error just then. By adding the IUSR account to that group, you gave anonymous visitors full database admin rights. I *think* you want to set up a limited account, and grant it specific rights on specific databases or tables w/in databases. I'm poking around myself to figure out how to do it right (which brought me here), but I think your solution is like making everybody domain admin. Sure, everything works that way :), but some things you don't want to "work" for some users.|||In general the most secure way to configure this is to create a new local user called SQLReader. Then configure this local user inside SQL Server to only allow login to your specfic database, granting the user read-only access. This keeps the access very restricted. Then map the aspx page to the SQLReader account.

Of course I am leaving out all the gory details of mapping a specific aspx page to a specific user, this can be bloody difficult. One way to do it is to create a .NET component hosted in COM+ and set the COM+ package to run as a specific user (having the aspx page make calls to the component). You can also twiggle around with the web.config file in aspx to do this mapping.

However, since you already have all your desired users mapped to IUSR_MyMachine by default, then you can just skip the SQLReader part, just add IUSR_MyMachine as login to only the MyDB database and only grant read access and you are set. This is assuming you are ok for any user that hits your web site to read from the SQL database.|||Thanks for the response. You've given me a lot to think about. I appreciate the thoughtful comments.
Later ... Ed

No comments:

Post a Comment