Re: Securing a web DB

From: Paddy (googlegroups@concurrency.co.uk)
Date: 11/29/02

• Next message: Cap: "Re: Hi. My name is Debbie. I am an idiot"
• Previous message: Dustin Puryear: "Re: Securing a web DB"
• In reply to: Murali Vasudevan: "Securing a web DB"
• Next in thread: Murali Vasudevan: "Re: Securing a web DB"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: googlegroups@concurrency.co.uk (Paddy)
Date: 29 Nov 2002 09:51:02 -0800

"Murali Vasudevan" <diffs@vsnl.com> wrote in message news:<as73ip$gbi$1@newsreader.mailgate.org>...
> Hi,
>
> We are putting up a ASP.NET based web site using SQL Server database.
>
> Users of the web site get to see confidential data. All of them have to
> login to look at data.
> Eventually the site will be SSLed to protect it from password hacking.
>
> The way the s/w is designed currently is to read the connection string (db
> name, uid, password) from an XML file and establish connection to the DB.
>
> We are planning to host the site with as ISP.
> One of the requirements is that the ISP should not be able to "easily"
> access the SQL database.
> Firstly, we are planning to use SQL server authentication (and not Win 2K
> integrated login) for the database.
> We want to ensure that the Web host administrator does not read XML file and
> get to know the SQL server password.
> One suggestion is to encrypt the password (or connect string) and store this
> in XML.
>
> What do others do in these situations ? Any ideas are welcome.
>
> Murali

Well make sure your SQL account privs are all set up *really well* -
ie don't be like so many of the muppets out there and run everything
as sa! All data access must be through stored procedures, lock down
the privs on them to soem very simple account. Don't allow selects,
inserts etc on the data tables themselves.

The SQL Authentication has limitations as the password for the login
is sent in very weakly encrypted form (just some bit-swapping and
XORing - search on securityfocus.com for more details), so maybe look
for an ISP you trust?

Thought about hosting offshore? - maybe sealand
(http://www.havenco.com/) where the boxes are literally on an oil
platform in the middle of the sea, with only 2 ppl allowed access?

hth

---

• Next message: Cap: "Re: Hi. My name is Debbie. I am an idiot"
• Previous message: Dustin Puryear: "Re: Securing a web DB"
• In reply to: Murali Vasudevan: "Securing a web DB"
• Next in thread: Murali Vasudevan: "Re: Securing a web DB"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages RE: Management Point not available ... > configured the Default Web Site within IIS 6 to use port 8080. ... Manually restart the SMS Agent Host service on the MP. ... MP encountered an error when connecting to SQL Server. ... If using a standard SQL security account, ... (microsoft.public.sms.admin) Re: Securing a web DB ... >name, uid, password) from an XML file and establish connection to the DB. ... >We are planning to host the site with as ISP. ... >integrated login) for the database. ... >get to know the SQL server password. ... (comp.security.misc) Re: database ... Maybe you should use a "for dummies" database: ... Kevin Spencer ... >> Okay, so where is the SQL Server located, with respect to the web site? ... (microsoft.public.frontpage.client) Re: No db access after publishing web site ... Is the SQL Server Express database in the new application's App_Data folder? ... But after I published the web site in a file system ... (microsoft.public.dotnet.framework.aspnet) ASP.NET Web Site Administration Tool ... I'm developing a Web site with VS 2005 on a machine under Windows ... When I try to access the Security tab in the Web Site Administration ... it fails with a message "Unable to connect to SQL Server ... The database aspnetdb is attached, and my user login, which is in a ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)