[dba-SQLServer] Integrated security

Steven W. Erbach serbach at new.rr.com
Tue Jan 4 06:48:48 CST 2005


Dear Group,

Hasn't been much traffic here since 26-Dec it looks like. Here's a poser, though it may not amount to much.

I've been working on a .NET project for some time (MUCH longer than anticipated) that uses a SQL Server 2000 back-end. The web host, CrystalTech, only offers two server logins in their "rental" agreement for their SQL Server capability. I wasn't aware of that at the outset; but I've reconciled myself to it. I use SQL Server authentication using my main login and password in the ADO connection string, and a user and password table to authorize further entry into the database I've set up. In ASP.NET the connection string is unavailable to the casual user. It's stored in the Web.config XML file and is not downloadable nor can it be accessed with a browser.

However, from my reading on ASP.NET application security, it appears that a sophisticated user/hacker can read the connection string using a memory dump, as I understand it. In version 2.0 of the Microsoft .NET Framework there's supposed to be a new class, System.Security, that will allow me to encrypt the connection string; but right now that string is somewhere in the managed memory heap and doesn't really get erased from there.

My question relates to integrated security. Forgive my naiveté on this, but am I correct in assuming that for integrated security to work with SQL Server, I have to log in from MY workstation using MY Windows login, is that right? In other words, integrated security is workstation-based, not username and password based, right? If that's the case, then I've only got two logins of that type with the CrystalTech SQL Server...and I may not even have that. So my only option is to use the SQL Server authentication I've already set up with the lookup of user names and passwords in a table in the databse.

Thanks for your thoughts.

Regards,

Steve Erbach
Scientific Marketing
Neenah, WI






More information about the dba-SQLServer mailing list