>>My recomendation would be, for a web ap, since the users never actually connect to the database, to use a single SQL Login (SQL server or Nt server doesn't matter) which has db_owner access to the data (or SPs) and control the user login/secuirty at the application level.
>>
>>BOb
>
>I'm going to strongly disagree with you here Bob<s>. IMO, the user that the application uses should not be a member of the db_owner database role. It should have EXECUTE permission to the procs and the procs should be owned by dbo.
>
>Security by Least Privilege
>
>-Mike

Yes, I agree... take the word 'db_owner' out of my above message. It is a bit much.

Although, if the only account you made db_owner was with an NT account that ASP.NET impersonated which used NT Authentication to connect to the database, is there really a security issue?

Isn't that kind of like saying, you shouldn't have any server admin eqivilent logins because they have access to everything?

BOb