> This requires putting a password in a config file.... and you are right back where you started.
Not if you use IIS anonymous access, ASP.NET windows authentication with impersonation set to true and IIS configured to use a domain account as the interactive user instead of IUSR_machinename... regards Julian -----Original Message----- From: Unmoderated discussion of advanced .NET topics. [mailto:[EMAIL PROTECTED] Behalf Of Philip Nelson Sent: 09 December 2004 17:10 To: [EMAIL PROTECTED] Subject: Re: [ADVANCED-DOTNET] How and where to store securely a database connection string --- Bob Provencher <[EMAIL PROTECTED]> wrote: > We're talking about two different things. Windows authentication from the > web server process to the database, not from the end user to the web server > through to the database. Kind of blows that whole protect your network from the web server thing, no? ;-) There is an assumption in security best practices that web servers can be more easily compromised than internal systems, and thus anything the web server can do with it's permissions should be as limited as possible. Allowing full acess to a a database would probably fit under the list of things not allowed. You could just as easily argue that if the web server is compromised, you are screwed anyway because the attack would probably have access to whatever technique you use to get database credentials. One other complication is that the machine account can't (and shouldn't) be used to access a database on another server, so you have to run that web server appdomain as a network user. This requires putting a password in a config file.... and you are right back where you started. ===== Philip - http://blogs.xcskiwinn.org/panmanphil "There's a difference between righteous anger and just being crabby" - Barbara =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com _____________________________________________________________________ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre. For further information visit http://www.star.net.uk/stats.asp IMPORTANT NOTICE This communication contains information, which is confidential and may also be privileged. It is for the exclusive use of the intended recipients(s). If you are not the intended recipient(s) please note that any form of distribution, copying or use of this communication or the information in it is strictly prohibited and may be unlawful. If you have recieved this communication in error please return it to the sender. The opinions expressed within this communication are not necessarily those expressed by Teletext Ltd. Teletext Ltd. Building 10 Chiswick Park 566 Chiswick High Road London W4 5TS Registered in England number 2694814 _____________________________________________________________________ This message has been checked for all known viruses by Star Internet delivered through the MessageLabs Virus Control Centre. For further information visit http://www.star.net.uk/stats.asp =================================== This list is hosted by DevelopMentor� http://www.develop.com Some .NET courses you may be interested in: Essential .NET: building applications and components with C# November 29 - December 3, in Los Angeles http://www.develop.com/courses/edotnet View archives and manage your subscription(s) at http://discuss.develop.com
