Re: ASP.NET & Integrated Security setup?

From: Eric Newton (ericnewton76_at_hotmail.com)
Date: 08/15/03 

Date: Fri, 15 Aug 2003 15:04:11 -0400

Hmmm yes, you are seeing the ignorance in the statement "you should use
integrated security in your connection strings"

The issue is that if an rogue aspnet app is run, its given carte-blanche
access to any other resources that the ASPNET user can access.

I still prefer to use a database uid/pwd in the connection string, so that
if a particular app directory (assuming all other apps are isolated
security-wise) then only one set of creditials is comprimised.

These issues however only typically occur in shared hosting environments
whereas several different entities may be running ASP net apps on the same
server. 

-- 
Eric Newton
eric@ensoft-software.com
C#/ASP.net Solutions developer
"Dave" <DavidTabaka@hotmail.com> wrote in message
news:016401c35dd2$90d5c570$a301280a@phx.gbl...
> Hi,
>
> I've read quite a few places where it recommends you use
> integrated security in your connection string.
>
> I tried this in test page to connect to the Northwind
> database by setting my connection string to:
>
> "data source=<mymachinename>;initial
> catalog=Northwind;integrated security=SSPI;"
>
> It worked as long as I added ASPNET, the account used for
> running ASP.NET Worker processes, as a SQL Server Login
> with access to Northwind.
>
> My question is should each web application on the server
> have it's own ASPNET-type account so it only has accesses
> the databases it needs?
>
> For example:
> ASPNET_Northwind (This account can only access the
> Northwind site and the Northwind database)
>
> ASPNET_Pubs ((This account can only access the Pubs site
> and the Pubs database)
>
> etc. If so, how do I do this?
>
> Thanks, Dave.
>
>
>

Relevant Pages

  • Re: ASPNET User Problem in Shared Hosting Environment
    ... account access to it's respective SQL Database? ... Right now the only way I got Integrated Security to work ... SQL Login as <mymachine>\ASPNET and giving the ASPNET ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Storing Connection String
    ... I don't want to use the integrated security because I don't know in which ... My idea is to have just one database user whose username and password would ... Which means that if an user get hold of connection string he/she can issue sql statements at his/her will to the database - and getting hold of such connection string is not hard. ... in the given context I would encrypt username & password and put them in config file. ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Storing Connection String
    ... I don't want to use the integrated security because I don't know in which ... My idea is to have just one database user whose username and password ... Which means that if an user get hold of connection string ... in the given context I would encrypt username & password and put ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Help! Access is Denied
    ... Are you using integrated security when accessing the database, ... grant the ASPNET user access to the server and the database that you want. ... If using SQL server account, check that the username and password is ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Connection to the DataBase
    ... To make sure you use the right connection string code, ... It had many examples on different database and type of connections. ... > need -bearing in mind you are using Integrated security. ...
    (microsoft.public.dotnet.languages.csharp)