Windows Authentication with IIS and SQL Server

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Windows Authentication with IIS and SQL Server

Message

19/09/2005 04:08:36

Matt Mcqueen
Glasgow, Royaume Uni

16/09/2005 15:16:08

Keith Payne
Technical Marketing Solutions
Floride, États-Unis

Information générale

Forum:

Microsoft SQL Server

Catégorie:

Autre

Titre:

Re: Windows Authentication with IIS and SQL Server

Divers

Thread ID:

01049749

Message ID:

01050793

Vues:

Hi Keith,

After much further searching, the official Microsoft answer appears to be to use a domain account for anonymous access in IIS:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vsentpro/html/veconintegratingiiswithyournetwork.asp

Best.

Matt.

>Matt,
>
>It will work with a domain account. It is not as secure relative to an intermediate process that controls exactly what gets sent to SQL Server. To send malicious code to SQL Server in an ASP application, all the hacker has to do is spoof the IIS machine and send the code to SQL Server to execute. Of course there are other security mechanisms in IIS, Windows Server, and SQL Server to make such an attack more difficult. But using an intermediate process decreases susceptibility to malicious code attacks by an order of magnitude.
>
>Simply put, if you maxed out the security using IIS -> SQL Server and minimized the security using IIS -> Middle Tier -> SQL Server, the three tier model is still more secure than the two tier model.
>
>Remember that IIS/ASP is almost 10 years old and SQL Server's security model is even older than that. The internet was still relatively tame back then.
>

Répondre

Fil

Voir

Click here to load this message in the networking platform