Re: [RE: [SQL connection string security]]
From: Chip Andrews (chipandrews@usa.net)Date: 01/10/02
- Previous message: RH: "RE: Huge security breach in standard w2k install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 10 Jan 2002 17:14:57 EST From: Chip Andrews <chipandrews@usa.net> To: "John Munyan" <johnm@attrition.ws>, "Chip Andrews" <chipandrews@usa.net>, "Eli Allen" <eallen@bcpl.net>, <focus-ms@securityfocus.com>
Pooling would NOT be defeated because in this scenario all users run in the
context of the IUSR account. If you use NTLM or basic auth then all bets are
off.
Chip
"John Munyan" <johnm@attrition.ws> wrote:
> Do the right thing - never use SQL Server's native security. Use a
> trusted connection (using the I_USR account) to a limited set of stored
> procedures that control all access to the database - just like Microsoft
> recommends.
> You'll never have the username or password lying around in a connection
> string again. If someone breaksinto the SAM then you've got a lot more
> to worry about than the loss of the I_USR account password. ;-)
>
> But isn't their a significant performance hit when using this form of
> authentication? Can connection pooling be used? I was under the
> impression that every db access would cause a new connection to be
> formed and therefore using the integrated auth would be frowned on in a
> performance type light? Am I all wet?
>
> Thanks,
>
> John
>
> -----Original Message-----
> From: Chip Andrews [mailto:chipandrews@usa.net]
> Sent: Thursday, January 10, 2002 10:14 AM
> To: Eli Allen; focus-ms@securityfocus.com
> Subject: Re: [SQL connection string security]
>
>
- Previous message: RH: "RE: Huge security breach in standard w2k install"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
