Re: Security design - is this safe?

From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 03/13/03


From: "Karl Levinson [x y] mvp" <levinson_k@excite.com>
Date: Wed, 12 Mar 2003 20:40:38 -0500


A common and possibly safer way to permit access to databases is to use a
shared local account on the database server [either in Windows or in SQL or
the database], use a connect string or other method to tell the web server
to connect to the database using that ID for all web users, and then use
another method of authentication, such as a table of user IDs and passwords
within the database itself, to select which users are permitted access to
which tables.

The passwords in the database would probably be different from the passwords
on the domain, but when it comes to security, this is generally a positive
rather than a negative.

Be sure to write your code securely, such as do input checking to prevent
attacks like SQL injection, be careful about how persistent variables are
stored and passed, etc. See here for places to start getting more info:
http://securityadmin.info
http://www.owasp.org
http://www.cert.org/tech_tips

"Runner" <pwright@diamondchain.com> wrote in message
news:uhS1$zM6CHA.2272@TK2MSFTNGP12.phx.gbl...
> I have a W2K/IIS 5.0 web server in a DMZ from which we need authenticated
> users to access resources in an NT 4.0 domain. The web server is between
two
> firewalls. How reckless would it be to make the web server a member of
the
> NT 4.0 domain? I can't figure out a better way to allow access to
databases
> and apps on the LAN without authenticating everyone on the domain.
>
>



Relevant Pages

  • Re: Help with first VB application - Data Entry form
    ... I assumed a desktop / winform client application ... time' stamp from the database machine - control machine ... ... problem solved - web server is control system. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Help with first VB application - Data Entry form
    ... JavaScript, for example) and thus, will get the time from the web server, ... function on the client. ... the database is not the place to put a time stamp of this ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Help with first VB application - Data Entry form
    ... I assumed a desktop / winform client application ... time' stamp from the database machine - control machine ... ... problem solved - web server is control system. ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Re: Can we use DAPs to access remote MDB files?
    ... the server and the user will not know it's happening. ... web server (from the client) and others seem to be saying it's NOT ... multi-user database pretty well straight out of the box. ...
    (comp.databases.ms-access)
  • Re: Help with first VB application - Data Entry form
    ... stamp from the database machine - control machine ... ... unnecessary data to the client ... ... and when building a database independent UI / Client - Server application, ... JavaScript, for example) and thus, will get the time from the web server, ...
    (microsoft.public.dotnet.languages.vb)