Re: Active directory control of SQL/WEB users security

From: John Warren (jwarren_at_prudentrx.com)
Date: 09/03/03 

Date: Wed, 3 Sep 2003 12:53:16 -0700

>-----Original Message-----
>"John Warren" <jwarren@prudentrx.com> wrote in message
>news:0dff01c37234$34c61b10$a601280a@phx.gbl...
>> We are looking at what to use to control users security
>> through WEB apps connected to a SQL2K data base.
Different
>> users will have different ability to access data in the
DB.
>>
>> We were thinking about using Active Directory for the
user
>> database. WEB apps would require access to information
in
>> AD to control access.
>>
>> I can provide more information if needed.
>>
>>
>> Does anyone know of some app notes that might help?
>
>Since the users will never be connecting directly to the
data (your ASP or
>ASP.NET code on the IIS server will) there's no need to
define per user
>security on the DB. Just control access to the web pages
with IIS
>authentication and create one "service" type account for
use in code for the
>data connections. You'll also get maximum benefit in
connection pooling
>that way.
>
>http://www.microsoft.com/windows2000/en/server/iis/
>
>Microsoft Internet Information Server
> Administration
> Server Administration
> Security
> Authentication
> Access Control
>
>http://www.microsoft.com/technet/prodtechnol/windowsserver
2003/proddocs/standard/gs_authentication.asp
>
>
>HOW TO: Configure IIS 5.0 Web Site Authentication in
Windows 2000
>http://support.microsoft.com/?id=310344
>HOW TO: Configure User and Group Access on an Intranet in
Windows 2000 or
>Windows NT 4.0
>http://support.microsoft.com/?id=325358
>HOW TO: Configure IIS Web Site Authentication in Windows
Server 2003
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;324274
>
>--
>Tom Kaminski IIS MVP
>http://www.iistoolshed.com/ - tools, scripts, and
utilities for running IIS
>http://mvp.support.microsoft.com/
>http://www.microsoft.com/windowsserver2003/community/cente
rs/iis/
>

Access control to the WEB pages willl take care of the
first level of security.

What I'd like see if we could use AD from within SQL/WEB
aps to control users access to data within SQL by the use
of groups or extending the schema. That way we have
control at one point. This may not be the best way but we
are looking at options. It may be better to write access
control at the SQL or ASP/.NET level.

Relevant Pages

  • Re: Cobol data protection? Get a dog...
    ... goes to malicious code: I would think that the outcome would be ... connecting to untrustworthy persons available. ... Ohio Nuclear Plant, ... ... to the data within the control center worth the risk of open connections ...
    (comp.lang.cobol)
  • Re: Active directory control of SQL/WEB users security
    ... > through WEB apps connected to a SQL2K data base. ... > AD to control access. ... Since the users will never be connecting directly to the data (your ASP or ... Just control access to the web pages with IIS ...
    (microsoft.public.sqlserver.security)
  • Re: Active directory control of SQL/WEB users security
    ... > through WEB apps connected to a SQL2K data base. ... > AD to control access. ... Since the users will never be connecting directly to the data (your ASP or ... Just control access to the web pages with IIS ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is Remote Desktop affected by logon GPO?
    ... The name you see in a TS / RDP login window is under the ... control of the client system, ... it was used connecting with a different machine and does not ... The last logon id is showing up every time. ...
    (microsoft.public.windows.server.security)
  • Re: Automate Connection Access
    ... control on a plain SMTP 6.0 service? ... Anyway, IIS exposes the Connection Control list via the Metabase property `IPSecurity.` Unlike many other props, even with direct Metabase editing enabled, though, you can't easily automate the editing of metabase.xml for this property, because it is of the binary data type IPSECLIST rather than plain-text. ... but you don't need to know that, because IIS handily serves up the property via ADSI scripting without you having to do any binary encoding yourself. ... With ADSI and the IIS namespace, you can append to the current array of denied IPs, re-put the options into IIS, and the settings take effect immediately. ...
    (microsoft.public.inetserver.iis.smtp_nntp)
Quantcast