• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

what authentication should IIS use to talk to SQL?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion

View previous topic :: View next topic  
Author Message
funkyd
Just Arrived
Just Arrived


Joined: 05 Mar 2003
Posts: 0


Offline

PostPosted: Thu Mar 20, 2003 6:27 pm    Post subject: what authentication should IIS use to talk to SQL? Reply with quote

We have web servers in our DMZ that talk to SQL servers on our trusted.

We are talking 10 web servers that in total talk to about 10 SQL servers witha total of 100+ databases.

Now at the moment we have a SQL user for each database that IIS uses. Problem is that becaus there are literally hundreds of logins, managing them is a nightmare.

What is the best way for me to reduce the number of logins I am using? Changing these passwords every month is going to be a bi*ch to say the least - hence currently they never get changed.

Could I just create one logon for each SQL server that IIS can use to read/write to all databases? Assuming it is correctly permissioned and audited that should be okay I think....

Any thoughts???
Back to top
View user's profile Send private message
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Thu Mar 20, 2003 7:03 pm    Post subject: Reply with quote

We have a very similar situation - and we use SQL coupled with our own proprietary authentication . Yes, it's a major pain to manage - but the last thing I want are domain users who have rights to an SQL server.

For us that's the overriding issue. We use a combination of SQL roles (some custome ones) and views to lock down who does what.
Back to top
View user's profile Send private message
funkyd
Just Arrived
Just Arrived


Joined: 05 Mar 2003
Posts: 0


Offline

PostPosted: Thu Mar 20, 2003 7:12 pm    Post subject: Reply with quote

The passwords we use are good - or appear to be. I am just worried that we are not changing them - probably because of the hassle in doing so. It would take hours - or even days to do.

I am wondering if I (yeah right!!) could write a script that changes all the passwords and updates IIS scripts by doing some sort of search and replace?

What about having just a single SQL logon for all websites to use? Okay so all sites can access all databases but surely the benefit of changing the password regularly far outweighs having tons of accounts with passwords that never change?

I found this document

http://w*w.secadministrator.com/Articles/Index.cfm?ArticleID=9356

It advises against using SQL authentication and to use NT as the SA account can be hacked. However as my web servers are not on the domain this isn't going to work...
Could I create local NT accounts on my SQL box and tell the web server to login using those accounts? I could lock them right down and esnrure that they can only access SQL and not any files etc etc perhaps?
Back to top
View user's profile Send private message
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Thu Mar 20, 2003 9:00 pm    Post subject: Reply with quote

I think your password philosophy land ogin mechanism needs to be driven by the security policies in place (if any), upper management's business-level requirements, and the client (if these SQL are client databases.)

In our case it's largely client driven and much more stringent that our own policy regarding complexity and duration of passwords. They insisted on not having NT accounts and they are a multinational firm who handles millions of medical records.

I just don't like having ties between NT/2000 accounts and SQL accounts. A single login to SQL is a huge point of weakness.

See what others say - many more SQL experts here better than I.
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Security Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register