Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Making a Secure SQL connection

Status
Not open for further replies.
mych

mych

Programmer
May 20, 2004
248
GB
I have Web SQL application using ASP pages. I have a connections string defined in a config.asp file which is included in any asp page that needs to make a connection to the DB.

The string takes the form of....

"Provider=sqloledb;Data Source=Server name or ip address;Initial Catalog=Database name;User Id=xxxx;Password=xxxx;"

I have been asked not to have the username and password in plain text. Is there another way of making the connection more secure?

Thanks

Mych
 
Sort by date Sort by votes
Plain text in the source code or plain text over the network?

If it is the former you could create a COM object to return an open database connection... or even more secure would be one that returns a disconnected recordset. This way your username and password would be in compiled code instead of plain text. The downside of this is you have to recompile if the username or password are changed.
 
Upvote 0 Downvote
Thanks Sheco....

Plain text both in source code and over the network. I have now found out that they want to change the DB to Windows Authentication only (turn off mixed mode).... I've only ever used the above connection method.

What will I need to change to use Win Authentication.. Are there any section/tutorials on this site or others that demonstates this type of connectivity.

Thanks

Mych

Why are security bods so paranoid!!!
 
Upvote 0 Downvote
The security bods may have "private health information" and are trying to comply with the HIPAA law.

One problem with using Win Authentication is, since you are asking the ASP engine to run code on behalf of a user, the user must have at least read+execute access to everything needed to run the code possibly including system files on the web server. This is not required in the default configuration because then IIS runs the ASP in the security context of its local IUSR_<MachineName> account rather than a specific individual's Active Directory account. Be sure your "security bods" know this before you start so you don't hit another dead end.


Anyway, after configuring IIS to work only with the integrated windows security for all your ASP scripts, the connection string to use will be something like this:[tt]
Provider=sqloledb;Data Source=myServerAddress;Initial Catalog=myDataBase;Integrated Security=SSPI;Persist Security Info=False;[/tt]
If that doesnt work you might try adding [tt]WSID=<MachineName>[/tt]

I've used that connection string for desktop client/server apps but not for ASP.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

penguinspeaks
  • Locked
  • Question
Parse a database field that is comma delimited and input the results into another table
Replies
0
Views
166
penguinspeaks
penguinspeaks
leifoet
  • Locked
  • Question
Wrong code in a href ?
Replies
1
Views
168
leifoet
leifoet
leifoet
  • Locked
  • Question
How to check if a datatable is empty ?
Replies
0
Views
181
leifoet
leifoet
Krus1972
  • Locked
  • Question
msxml3.dll error '80072f7d' - An error occurred in the secure Channel support
Replies
7
Views
334
Krus1972
Krus1972
penguinspeaks
  • Locked
  • Question
Start loop from a specified point
Replies
0
Views
144
penguinspeaks
penguinspeaks

Part and Inventory Search

Sponsor

Back
Top