Re: Securing a web DB

From: Dustin Puryear (dpuryear@usa.net)
Date: 11/29/02

• Next message: Paddy: "Re: Securing a web DB"
• Previous message: AndyB: "Re: Hi. My name is Debbie. I am an idiot"
• In reply to: Murali Vasudevan: "Securing a web DB"
• Next in thread: Paddy: "Re: Securing a web DB"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: dpuryear@usa.net (Dustin Puryear)
Date: Fri, 29 Nov 2002 15:23:26 GMT

On Fri, 29 Nov 2002 12:40:20 +0530, "Murali Vasudevan"
<diffs@vsnl.com> wrote:
>The way the s/w is designed currently is to read the connection string (db
>name, uid, password) from an XML file and establish connection to the DB.
>
>We are planning to host the site with as ISP.
>One of the requirements is that the ISP should not be able to "easily"
>access the SQL database.
>Firstly, we are planning to use SQL server authentication (and not Win 2K
>integrated login) for the database.
>We want to ensure that the Web host administrator does not read XML file and
>get to know the SQL server password.
>One suggestion is to encrypt the password (or connect string) and store this
>in XML.
>
>What do others do in these situations ? Any ideas are welcome.

Your options are limited here. If you encrypt the file containing the
SQL Server password then you need to put the decryption key into your
ASP code somewhere. That to will be available to the server
administrators.

If your data needs this level of security then consider colocating
your own, locked server at the ISP. The server can still be attacked,
but this at least places an additional barrier between you and them.
Alternatively, you could host the site yourself, but that is certainly
not always an option.

Ultimately, the real solution may just be to compartmentalize the
webserver's access by creating a special login with extremely
restricted read writes to your database. To be honest, if I was
hosting a site requiring access to my sensitive data at an ISP I would
mirror only the required data to the site and keep the logins local.
That way there is never any access to your larger, more sensitive
internal databases.

---
Dustin Puryear
Puryear Information Technology
Windows, UNIX, and IT Consulting
http://www.puryear-it.com

---

• Next message: Paddy: "Re: Securing a web DB"
• Previous message: AndyB: "Re: Hi. My name is Debbie. I am an idiot"
• In reply to: Murali Vasudevan: "Securing a web DB"
• Next in thread: Paddy: "Re: Securing a web DB"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: where shoule store the questions and answers ... You can use the text file, a XML file or a database (Access, SQL Server ... design and document much faster: ... (microsoft.public.dotnet.languages.vb) Re: Securing a web DB ... >We are putting up a ASP.NET based web site using SQL Server database. ... >name, uid, password) from an XML file and establish connection to the DB. ... (microsoft.public.sqlserver.security) load/read/import XML file in SQL Server 2000 ... Is it possible to create database in SQL Server 2000 from XML file ... supposing that in SQL Server ... (microsoft.public.sqlserver.xml) load/read/import XML file in SQL Server 2000 ... Is it possible to create database in SQL Server 2000 from XML file ... supposing that in SQL Server ... (microsoft.public.sqlserver) Re: Starter Kit Application deployment ... Ask your ISP if they support SQL Server 2005 file based databases. ... You will then have to move your database ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)