I had an interview in Redmond, where they asked me security based questions around asp.net. He had asked one of those questions that had to configure a secure intranet application to use the constrained delegation to use SQL Server. An AD user account has been accessed to SQL Server in this scenario. The entire purpose of the course: a) No username / password is stored anywhere on the web server (web config), and b) provides a security protected model that can be managed in Active Directory.
It came to me to think about how I was configuring my sites for anonymous sites in all these years. Normally I will run my IIS websites using the default anonymous account and web string to the web. I can store in config (encrypted and sometimes explicit text). This, of course, requires running your SQL Server in mixed mode. So my question is what will happen if we web strings to the web Not configured at all in the config, and only created a unique anonymous domain account for a particular domain, which would use db_datareader within SQL Server? Is there such a reason, would it be a bad idea to do this?
I have tried to think about all the scenarios where it would be a bad idea, and I can imagine that a "hacker" compromised the code on the web server, and then somehow your SQL The server has reached ... but it can be in the scenario.
Does anyone know the best practice here?
Where do I work, we have a window service that runs under a specific domain account . That account is set as a login in SQL Server and it matches the DB in which it needs access, we have not had any problems with it.
I think the most important thing is that you can properly configure your database user (or role) so that only it needs to be done.
I have used SQL access to use AD in the same way that you tell in the first paragraph. (AD Group -> SQL Server Login -> DB User -> DB Objects) I can see that there is only one defect so far, if a user is connected directly to the database, then they will have any logic in your app. One advantage is that, you know how domain users are accessing your database.
Comments
Post a Comment