DevDays: A simple way to configure a domain account to access the database

The web track sessions at DevDays highlights how important it is to access SQL Server using a trusted connection. However, the OpenHack sample application “cheats” because the web site and the database run on the same machine and you can simply configure the ASPNET account in the database.

In the real world, you don't always have web server and database on the same server. Now you no longer can just grant the ASPNET account from the web server access to the database. You need to configure your web site to run under a domain account and grant the domain account access to the database.

One way to declaratively configure under what account a web application accesses a database with is to configure the application to impersonate a domain account using the <identity> tag in the web.config file.

<identity impersonate="true"

One advantage here is that you can apply this setting to individual ASP. NET web applications. You don't need to change the account under which the ASP. NET worker process (or the IIS app pool process ) is running.

What's even better, is that you don't have to lose any sleep because worrying about somebody getting to the account credentials because they are in clear text in the web.config file. What if somebody gets access to that file?

Well, don't worry! You can direct ASP. NET to read the credentials from an encrypted registry Key in the web.config file. The format for the identity tag is then

<identity impersonate="true"
userName="registry:HKLM\SOFTWARE\MY_SECURE_APP\identity\ASPNET_SETREG,userName"
password="registry:HKLM\SOFTWARE\MY_SECURE_APP\identity\ASPNET_SETREG,password" />

To get the use name and password into the registry, Microsoft supplies the Aspnet_setreg.exe tool.

This feature is also available to configure the identity of the worker process and the connection string for the session state database

Now you can securely store the identity to impersonate in the registry. If you want to kick up security another notch, then you can ACL the registry keys that hold the username and password - just as you have seen it in the open hack demo.

You can find more information and a link to download the aspnet_setreg tool from Microsoft.

Published Friday, March 05, 2004 11:09 PM by ChristophDotNet
Filed under: ,

Comments

# re: DevDays: A simple way to configure a domain account to access the database

Saturday, March 06, 2004 11:15 AM by Jerry Pisk
If somebody can access your configuration file what's to stop them from reading it and accessing the registry and decrypting your user name and password? Once again, this is not making your app any more secure than storing credentials directly in the config file.

Oh and you have to give this account the same privileges ASPNET account has (registry and file ACLs), which makes deployment a bit complicated since there are no command line tools to set registry ACLs.

# re: DevDays: A simple way to configure a domain account to access the database

Saturday, March 06, 2004 11:45 AM by Christoph
Jerry,

Actually, it does make it more secure.

It's quite a bit harder to get to the registry than it is to get to a web.config file. An admin that inadvertently turns off the file mappings for ASP.NET might compromise your web.config file. But if you store the credentials encrypted in the registry then there are still two extra steps for an attacker to get to user account that can do "stuff" after they got the web.config file: getting to the registry and decrypting the credentials. It's three additional steps if you secure the registry key.

Remember, writing secure apps is about two things, identifying the off cases where security is compromised (what happens if ... ) and then making extremely hard to exploit an eventual beach. In this case you

There are certainly trade-offs to make. Are you going to protect your data or are you opting for easy developent and deployment. Is security more important than performance, etc.

Your attackers make the same trade-off decisions: How much effort am I going to put into getting your secured data while risking to get caught.

It's up to decide you how much security you want and how much you want to pay for it. That's the reality regardless which platform you develop on, btw.

HTH,
Christoph

# re: DevDays: A simple way to configure a domain account to access the database

Monday, March 08, 2004 6:41 PM by Bryant Likes
Do you have to apply the hotfix for this to work?

http://support.microsoft.com/default.aspx?scid=kb;EN-US;329250

# Configure This

Monday, March 08, 2004 8:15 PM by TrackBack

# Configure This

Tuesday, March 09, 2004 1:31 PM by TrackBack

# re: DevDays: A simple way to configure a domain account to access the database

Thursday, March 11, 2004 4:53 PM by Josh
Wouldn't this work by creating the same "local" account (w/same password) on both the web server and SQL Server? I know that's more of a maintenance headache, but do you really want web code running in the context of a domain user?

# re: DevDays: A simple way to configure a domain account to access the database

Thursday, March 11, 2004 11:58 PM by Christoph
Bryant,

I didn't need the hotfix with the .NET Framework V1.1. The fix described in the KB article does not work on a box with .NET 1.0 SP2, which makes sense, because the build number is newer (360) than the one on the .NET 1.0 SP2 assemblies (288).

Thank you for pointing this out!

And btw. BizTalk Server 2004 does install aspnet_setreg. You don't need to download if you alread have BTS installed.

# re: DevDays: A simple way to configure a domain account to access the database

Sunday, March 14, 2004 10:06 PM by Christoph
Josh,

I know that you can set up two local acounts with the same username/password to get ASP pages to read files from another server. I was never particularly fond of that "feature", since I believe that the fact that authentication ignores the origin of the account isn't correct.

I did double check to find that you can do connect to SQL Server as well once you grant the remote login permission to the account and add the account to SQL Server. Yet, I am still not fond of this "feature".

I don't see a problem assigning a domain account to access the database. It greatly simplifies maintenance (as you already pointed out) and you can dummy down the account by removing all permissions until you can't do anything different than the local ASPNET account can do.

You do have to pay extra attention to the account setup though, because you if you mess up the permissions on that account (like accidentally making it a member of the Power Users or Admistrators Group), then the risk for damage is much, much greater than it would be for a bad configuration on a local account.

HTH,
Christoph

# How to use Trusted Connection when SQL server and web Server are on two separate machines.

Thursday, April 15, 2004 12:07 PM by TrackBack

# How to use Trusted Connection when SQL server and web Server are on two separate machines

Thursday, April 15, 2004 1:47 PM by TrackBack
How to use Trusted Connection when SQL server and web Server are on two separate machines

# How to use Trusted Connection when SQL server and web Server are on two separate machines.

Thursday, April 15, 2004 1:52 PM by TrackBack

# How to use Trusted Connection when SQL server and web Server are on two separate machines.

Thursday, April 15, 2004 11:56 PM by TrackBack

# Enterprise Connection String Management in ASP.NET - Best Practice?

Tuesday, May 11, 2004 3:18 PM by TrackBack

# Enterprise Connection String Management in ASP.NET - Best Practice?

Tuesday, May 11, 2004 4:28 PM by TrackBack

# How to use Trusted Connection when SQL server and web Server are on two separate machines.

Saturday, October 30, 2004 1:06 AM by TrackBack

# asp net account

Tuesday, May 06, 2008 5:44 PM by asp net account

Pingback from  asp net account

# Work at home ideas for moms wahmoms net.

Sunday, November 02, 2008 5:39 PM by Work from home moms.

Moms work from home. Kevin thompson work at home moms. Moms work at home.

# re: DevDays: A simple way to configure a domain account to access the database

Friday, November 28, 2008 8:12 PM by fabiola-fk

<a href= http://chkola.angelfire.com >avlastkey</a> <a href= http://bustersw.angelfire.com >how to start a strawberry patch in alabama</a>

# re: DevDays: A simple way to configure a domain account to access the database

Friday, December 26, 2008 11:06 AM by Albina-ce

<a href= membres.lycos.fr/maffals >genetic disorters</a>

# re: DevDays: A simple way to configure a domain account to access the database

Sunday, March 01, 2009 1:57 AM by Albina-fm

<a href= http://adultdatingssfinder.com >find partner</a>

Leave a Comment

(required) 
(required) 
(optional)
(required)