[dba-SQLServer] Integrated security

Mike & Doris Manning mikedorism at adelphia.net
Tue Jan 4 07:15:43 CST 2005


You are correct.

Doris Manning
Database Administrator
Hargrove Inc.
www.hargroveinc.com


-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of Steven W.
Erbach
Sent: Tuesday, January 04, 2005 7:49 AM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: [dba-SQLServer] Integrated security


Dear Group,

Hasn't been much traffic here since 26-Dec it looks like. Here's a poser,
though it may not amount to much.

I've been working on a .NET project for some time (MUCH longer than
anticipated) that uses a SQL Server 2000 back-end. The web host,
CrystalTech, only offers two server logins in their "rental" agreement for
their SQL Server capability. I wasn't aware of that at the outset; but I've
reconciled myself to it. I use SQL Server authentication using my main login
and password in the ADO connection string, and a user and password table to
authorize further entry into the database I've set up. In ASP.NET the
connection string is unavailable to the casual user. It's stored in the
Web.config XML file and is not downloadable nor can it be accessed with a
browser.

However, from my reading on ASP.NET application security, it appears that a
sophisticated user/hacker can read the connection string using a memory
dump, as I understand it. In version 2.0 of the Microsoft .NET Framework
there's supposed to be a new class, System.Security, that will allow me to
encrypt the connection string; but right now that string is somewhere in the
managed memory heap and doesn't really get erased from there.

My question relates to integrated security. Forgive my naiveté on this, but
am I correct in assuming that for integrated security to work with SQL
Server, I have to log in from MY workstation using MY Windows login, is that
right? In other words, integrated security is workstation-based, not
username and password based, right? If that's the case, then I've only got
two logins of that type with the CrystalTech SQL Server...and I may not even
have that. So my only option is to use the SQL Server authentication I've
already set up with the lookup of user names and passwords in a table in the
databse.

Thanks for your thoughts.

Regards,

Steve Erbach
Scientific Marketing
Neenah, WI



_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com






More information about the dba-SQLServer mailing list