Re: Securing a .NET webapp with ActiveDir and SQL-server?
- From: "Jim Andersen" <nospam@xxxxxxxxx>
- Date: Mon, 16 Jan 2006 13:21:47 +0100
"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
skrev i en meddelelse
news:4580be631950c68c7e8a73326e05e@xxxxxxxxxxxxxxxxxxxxx
Hi Dominick
> - enable integrated in IIS, disable anonymous
Didn't I do that correctly ?
>> Using Inetmgr I go to tab "directory security" and make sure only
>> "Integrated windows" is checked.
> - why do you need authorization inside your app? are only specific emps
> allowed to see specific customers?
Yes.
> - don't connect to sql server using administrative privileges
I created a user and put him in the db_owner role for the specific database.
> - wrap all data acess in stored procedures - the user that connects to the
> db should only be allowed to execte the sprocs, no direct table access
Ok. But should I have my webapp supply the sproc with the name/identity of
the user as an argument, and have the sproc make an access-check, and create
a logrecord in my logtable and THEN pass data back to the webapp, or should
my webapp call a series of sprocs ?
> - use SSL - for IIS and SQL Server
> - logging should be done on the web server in your case
Elaborate please ? When the user clicks the "See Customer Details" button I
should call a logging-sproc, and then a getcustomerdetails sproc ?
> - encryption is a complex topic. Will the web application also decrypt the
> data again? Or is this done in a separate app? Single Server or Cluster?
The webapp must be able to show the unencrypted data. When user clicks the
"Update Customer Details" the sensitive data (one field) should be
encrypted, and stored in sql-server. When he clicks "See Customer Details"
the unencrypted data (clear text) should be shown to the user in a webform.
Can I have sql-server (sproc) encrypt/decrypt the data instead of the webapp
(.net) ?
> switching to 2.0 is recommended.
In general or for this specific purpose ?
> This is an overview - if you have any questions regarding the above point,
> feel free to ask
You asked for it !
/jim
.
- Follow-Ups:
- Re: Securing a .NET webapp with ActiveDir and SQL-server?
- From: Dominick Baier [DevelopMentor]
- Re: Securing a .NET webapp with ActiveDir and SQL-server?
- From: bradbury9
- Re: Securing a .NET webapp with ActiveDir and SQL-server?
- References:
- Securing a .NET webapp with ActiveDir and SQL-server?
- From: jba020
- Re: Securing a .NET webapp with ActiveDir and SQL-server?
- From: Dominick Baier [DevelopMentor]
- Securing a .NET webapp with ActiveDir and SQL-server?
- Prev by Date: Re: Securing a .NET webapp with ActiveDir and SQL-server?
- Next by Date: Re: System.Security.SecurityException: Request failed.
- Previous by thread: Re: Securing a .NET webapp with ActiveDir and SQL-server?
- Next by thread: Re: Securing a .NET webapp with ActiveDir and SQL-server?
- Index(es):
