locked
Sql Server Security with asp.net web site. RRS feed

  • Question

  • My asp.net site is hosted on a virtual private server so I have complete control over the server configuration.  The asp.net web site and the sql server 2008 R2 both run on the same windows 2008 std server.  I currently use sql server authentication (rather than windows integrated security) to access the database, and the database is exposed to the internet.  I have disabled the sa login and created a strong password for the login I do use.  The sql server was configured by my hosting company to be exposed to the internet and I have a live web site using this configuration.

    My goal now is to use the most secure method for access the sql server.

    I would like to switch my web site to use windows integrated security for the sql server login but I have read some information that seems to indicate that asp.net websites cannot use windows integrated security, they must use sql server authentication.  Is that true?  If windows integrated security is allowed, note that I have tried to configure this.  The server has an IIS_User group so I created a user account and added it to this group. I gave this account access in sql server and setup the connection string but could not connect. Exactly how do I need to configure the server (windows server 2008 r2) and sql server to allow my asp.net 4.0 website to to use windows authentication?  If sql server authentication must be used then I would like to stop exposing the sql server to the internet, because my website is on the same box as the sql server.  I do not need the server accessible over the internet because I can manage it by remoting in to the server.

    To summarize:

    Can windows authentication be used with an asp.net website.  If so, how do I set this up?

    If sql server authentication needs to be used (what I'm doing now) how do I remove the sqlserver from being exposed to the intenet?



    • Edited by vbuser114 Thursday, April 25, 2013 4:12 PM changed 'windows authentication' to 'windows integrated security'
    Thursday, April 25, 2013 1:37 PM

Answers

  • So is it just a matter of running sql server config manager and turning off all except shared memory?

    Yes, if IIS and SQL Server is on the same box, shared memory is all you need.

    ...as long as you don't want to connect remotely to administer the database.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by vbuser114 Friday, April 26, 2013 4:04 PM
    Thursday, April 25, 2013 9:26 PM

All replies

  • So is it just a matter of running sql server config manager and turning off all except shared memory?
    Thursday, April 25, 2013 4:54 PM
  • So is it just a matter of running sql server config manager and turning off all except shared memory?

    Yes, if IIS and SQL Server is on the same box, shared memory is all you need.

    ...as long as you don't want to connect remotely to administer the database.


    Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se
    • Marked as answer by vbuser114 Friday, April 26, 2013 4:04 PM
    Thursday, April 25, 2013 9:26 PM