Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
Windows Authentication with IIS and SQL Server
Message
From
19/09/2005 04:08:36
Matt Mcqueen
Glasgow, United Kingdom
 
 
To
16/09/2005 15:16:08
Keith Payne
Technical Marketing Solutions
Florida, United States
General information
Forum:
Microsoft SQL Server
Category:
Other
Title:
Re: Windows Authentication with IIS and SQL Server
Miscellaneous
Thread ID:
01049749
Message ID:
01050793
Views:
28
Hi Keith,

After much further searching, the official Microsoft answer appears to be to use a domain account for anonymous access in IIS:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsentpro/html/veconintegratingiiswithyournetwork.asp

Best.

Matt.

>Matt,
>
>It will work with a domain account. It is not as secure relative to an intermediate process that controls exactly what gets sent to SQL Server. To send malicious code to SQL Server in an ASP application, all the hacker has to do is spoof the IIS machine and send the code to SQL Server to execute. Of course there are other security mechanisms in IIS, Windows Server, and SQL Server to make such an attack more difficult. But using an intermediate process decreases susceptibility to malicious code attacks by an order of magnitude.
>
>Simply put, if you maxed out the security using IIS -> SQL Server and minimized the security using IIS -> Middle Tier -> SQL Server, the three tier model is still more secure than the two tier model.
>
>Remember that IIS/ASP is almost 10 years old and SQL Server's security model is even older than that. The internet was still relatively tame back then.
>
Previous
Reply
Map
View

Click here to load this message in the networking platform