Security: ASP.Net + SQL Server DNZ

From: Tushar Karsan (Tushar.KARSAN_at_Nottingham.Sema.slb.com)
Date: 07/18/03

• Next message: Phill: "Security Problem"
• Previous message: Kevin: "Re: permissions oddity"
• Next in thread: news_at_news.com: "Re: Security: ASP.Net + SQL Server DNZ"
• Reply: news_at_news.com: "Re: Security: ASP.Net + SQL Server DNZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 18 Jul 2003 15:51:57 +0100

(Been reading other messages on this subject but could not find an answer,
that is why I'm posting this. Please note, although I have posted to several
groups, I've set follow-to microsoft.public.sqlserver.security in case I
posted to where I shouldn't have, sorry if I have).

I am woking on an ASP.Net app that will be in the DMZ and SQL Server will be
behind the firewall inside a secure zone. It seems as though there are two
possible methods of securing the DB:

1. Using integrated security.
a. This will use Win2K challege response machamism and hence passwords and
user-id's would not need to be handled in the web app.
b. This probably means that both ASP.Net and DB would have to be on the same
windows domain.

2. Using SQL Server security (do not know if it is the right name)
a. Connection-string will need to include both uid and pwd.
b. For security reasons, connection-string will need to be stored away from
the app in a secure place, probably encrypted.
c. At runtime the connection-string will need retrieving and decrypting and
passed as clear text to Open() method on connection.

It seems as though 2c makes it less secure if network is spoofed hence
method 1 seems to be the better option, is that correct? If so, port 1433
would need to be opened between the DMZ to DB zone, in that direction, is
that correct?

Any other pointers or suggestions will be much appreciated.

thanks,
Tushar

---

• Next message: Phill: "Security Problem"
• Previous message: Kevin: "Re: permissions oddity"
• Next in thread: news_at_news.com: "Re: Security: ASP.Net + SQL Server DNZ"
• Reply: news_at_news.com: "Re: Security: ASP.Net + SQL Server DNZ"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Security: ASP.Net + SQL Server DNZ ... I am woking on an ASP.Net app that will be in the DMZ and SQL Server will be ... Using integrated security. ... Connection-string will need to include both uid and pwd. ... the app in a secure place, ... (microsoft.public.dotnet.framework.aspnet.security) Re: Security wizard or selfmade? ... > Now I stumbled across the security wizard, but it kind of scares me as ... almost never aware of the fact that the app is not secured properly. ... believe that the vast majority of people who attempt to secure an app for ... (microsoft.public.access.formscoding) Re: Security - Active Directory Good Practices ... Is such a App less 'secure'? ... Is the App as 'secure' as it needs to be? ... practice" should be. ... I have seen incredibly complex security schemes employed to ... (microsoft.public.vb.general.discussion) Annoyed about security warnings ... I'm sure the answer is no anyway, but does anyone know how to self certify ... an app as secure within your own organisation without getting the security ... setting, but I like the idea of improved security ... (microsoft.public.fox.programmer.exchange) Re: Ten least secure programs ... it's probably better you leave the topic alone ... I said I do not have security issues with the programs I code. ... I didn't realize you were a Linux user, ... > the most widely used and secure UNIX flavors? ... (Security-Basics)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.sqlserver.security  > 2003-07