tags:

views:

179

answers:

3
+1  Q: 

Preferred DB Connection for ASP.Net

What's the preferred (best practice) means of connecting an ASP.Net Website to a database? I doubt it's as simple as using Trusted-Connection and giving the NT-Authority accounts access.

What do y'all do? Assuming a clean install of SQL Server (2008), what do you do to configure access to the database for a website?

+1  A: 

I usually run ASP.NET app pool as a separate account (not NT AUTHORITY\NETWORK SERVICE) and use Windows authentication to access the SQL Server. This method has the advantage of not storing the password in config files.

Steps:

  1. Create a user account to run your ASP.NET application on.
  2. Create an application pool in IIS and run it on the created account.
  3. Assign NTFS permissions that your application needs to the account.
  4. Grant permission to login on SQL Server.
  5. Assign the appropriate database roles to the created login.

This will work for many apps. For more complex security environments, you might need more sophisticated strategies.

Mehrdad Afshari  2009-04-11 17:41:35
That makes sense. Can you provide a link or maybe more instruction regarding implementation?
jcelgin  2009-04-11 17:48:41
Also bear in mind that you can define your own roles for a database - if you're trying for best practice you want to limit what an application (the associated user) can or can't do beyond the inherent restrictions in the standard roles.
Murph  2009-04-11 19:16:58
A: 

I used to use trusted connections, but ended up feeling that that sometimes I ended up having to grant too many privileges to the service account used for the connection/app pool. Now I use SQL Server accounts and set up the application to encrypt the connection strings during Application_Start if they aren't already encrypted. In fact I encrypt any section that may contain user credentials. I use an appSetting to determine whether the encryption code runs so I don't encrypt my settings in the development environment.

tvanfosson  2009-04-11 18:02:32
For large apps that might have different permissions, I completely agree. (SQL Server application role is an another way to achieve least privileges). But many Web apps are small enough that it doesn't make sense to have many different accounts. Passwords will create maintenance issues...
Mehrdad Afshari  2009-04-11 18:23:40
A: 

I also use SQL Server accounts, just find it simpler to do and to troubleshoot.

EJB  2009-04-11 18:13:59

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL