Re: Security in DMZ
- From: "Sylvain Lafontaine" <sylvain aei ca (fill the blanks, no spam please)>
- Date: Sat, 27 Sep 2008 16:06:21 -0400
The problem with the method is that it totally defeats the purpose of having
set up a DMZ zone. Not only it stores on the DMZ machine the password of a
privilegied account that has been set up a wide access on the SQL-Server but
this windows account can be used directly as an anonymous user under IIS7 to
access the SQL-Server; so you don't have even to hack/crack the password to
use it.
In general, using a SQL login account over a windows account is not really
recommended for security purposes because the password is transmitted in
clear over the network (but this problem can be solved with by using SSL to
communicate with the sql server). However, in this particular case, I don't
see the advantage of not using a SQL login account if the windows account
used for the impersonation is to be readily accessible to any hacker who
will get access to the DMZ machine.
--
Sylvain Lafontaine, ing.
MVP - Technologies Virtual-PC
E-mail: sylvain aei ca (fill the blanks, no spam please)
"Arne Garvander" <ArneGarvander@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:067835D3-D4B7-47E3-900E-FE3F96BDF8CB@xxxxxxxxxxxxxxxx
Yes i Use impersonate
Try this link
http://www.garvander.com/arne/impersonate.htm
--
Arne Garvander
(I program VB.Net for fun and C# to get paid. When get paid, I laugh all
the
way to the bank.)
"Mohit K. Gupta" wrote:
Hmm interesting; my mistake then. Mind listing the settings for me? I
would
like to note it if I need it :).
So I am taking a guess you had to do impersonation by in windows? Sorry
not
a Windows Server expert? Mind explaining to me, I would like to learn
:).
Thanks.
--
Mohit K. Gupta
B.Sc. CS, Minor Japanese
MCTS: SQL Server 2005
http://sqllearnings.blogspot.com/
"Arne Garvander" wrote:
Actually I got it done with a local account today.
I had to go through a list of about half a dozen settings before i was
done.
I had to create two identically local accounts on the SQL server and
DMZ
server and a few other settings. Now it works great.
--
Arne Garvander
(I program VB.Net for fun and C# to get paid. When get paid, I laugh
all the
way to the bank.)
"Mohit K. Gupta" wrote:
Computer?
If I am understanding you right; you can't. Because those accounts
are
local to that computer, there is no way for SQL Server to get the
authentication token from a local computer account. If you have
Domain
Controller out there; then you can create a DMZ account on an
internal server.
Thanks
--
Mohit K. Gupta
B.Sc. CS, Minor Japanese
MCTS: SQL Server 2005
http://sqllearnings.blogspot.com/
"Arne Garvander" wrote:
CREATE LOGIN [wep-2\ccc]] FROM WINDOWS WITH
DEFAULT_DATABASE=[master]
Error Message
Windows NT user or group 'wep-2\ccc' not found. Check the name
again.
How do I make SQL server trust a computer in the DMZ?
--
Arne Garvander
(I program VB.Net for fun and C# to get paid. When get paid, I
laugh all the
way to the bank.)
.
- Follow-Ups:
- Re: Security in DMZ
- From: Arne Garvander
- Re: Security in DMZ
- References:
- Security in DMZ
- From: Arne Garvander
- RE: Security in DMZ
- From: Mohit K. Gupta
- RE: Security in DMZ
- From: Arne Garvander
- RE: Security in DMZ
- From: Mohit K. Gupta
- RE: Security in DMZ
- From: Arne Garvander
- Security in DMZ
- Prev by Date: Re: Security when running a SS2005 SQL Server Agent Job
- Next by Date: Re: Security in DMZ
- Previous by thread: RE: Security in DMZ
- Next by thread: Re: Security in DMZ
- Index(es):
Relevant Pages
|
