SQL 2000 sp3 security best practices

Monday, June 30, 2003

.NET General

I found interesting these new articles about SQL 2000 security (source Microsoft)
The figure shows security vulnerabilities in a simple multi-tier system

1 Comment

Funny. The one source for sql server related security problems is Microsoft itself. The reason for that is that is that it is impossible to impersonate f.e an asp.net website into a native windows domain user which has role based security in a sqlserver. You simply can't do that. You have to maintain credentials on multiple machines. Most people therefor do not use trusted connections but sqlserver connections using sqlserver accounts for situations like this (which are very common), which force you to store the credentials in the connection string.

MS clearly made a terrible mistake when they designed the asp.net user security and multi-machine websites. Ah well... thankfully sqlserver 2000 at the moment still allows you to specify a sqlserver account (but I heared support for this will be dropped in a later release)...

Also, MS has made it very hard (if not impossible) to communicate encrypted with your sqlserver machine. You have to jump through hoops to get it working and even then... (using ssl). In the unix world, they have ssh and can tunnel any connection through that secure connection protocol. Very clever and neat. How else did MS envision the secure, remote maintainance of webservers and sqlservers in a DMZ which are not part of ANY domain?

Frans Bouma - Monday, June 30, 2003 2:34:00 PM

Comments have been disabled for this content.