General information
Forum:
Microsoft SQL Server
>>My recomendation would be, for a web ap, since the users never actually connect to the database, to use a single SQL Login (SQL server or Nt server doesn't matter) which has db_owner access to the data (or SPs) and control the user login/secuirty at the application level.
>>
>>BOb
>
>I'm going to strongly disagree with you here Bob<s>. IMO, the user that the application uses should not be a member of the db_owner database role. It should have EXECUTE permission to the procs and the procs should be owned by dbo.
>
>Security by Least Privilege
>
>-Mike
Yes, I agree... take the word 'db_owner' out of my above message. It is a bit much.
Although, if the only account you made db_owner was with an NT account that ASP.NET impersonated which used NT Authentication to connect to the database, is there really a security issue?
Isn't that kind of like saying, you shouldn't have any server admin eqivilent logins because they have access to everything?
BOb
Previous
Next
Reply
View the map of this thread
View the map of this thread starting from this message only
View all messages of this thread
View all messages of this thread starting from this message only