Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
MichaelP
Jedi Yak
2489 Posts |
 Posted - 2002-07-31 : 17:36:53
|
| In the past, I've had the luxury of having a SQL server behind a firewall on non-routable IPs.I've got a case now where the Webserver (IIS 5.0) and SQL Server (MSDE 2000 sp2) are on the same box, and on routable IP's. I've got an ASP app that uses COM DLL's in COM+ to communicate with the database. The connection strings will be stored in COM+.What should I do to protect my server?Should I create a SQL user that is NOT sa and give that user just enough rights to the database?Should I just give sa a really tough password and use that to connect to the database?Thanks all!Michael<Yoda>Use the Search page you must. Find the answer you will. |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-07-31 : 17:39:06
|
| Absolutely DO NOT use sa for your web application, even if you hide the connection strings in COM objects. Make up a new login and give it exactly the rights it needs, no more, no less. You still have to take care against SQL injection attacks, unless absolutely everything uses stored procedures. |
 |
|
|
MichaelP
Jedi Yak
2489 Posts |
Posted - 2002-07-31 : 17:49:43
|
| Sounds good, but what should I do with the sa account?Should I deny it access to my database?<Yoda>Use the Search page you must. Find the answer you will. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-07-31 : 18:33:40
|
| You can't really. The best thing to do is set a strong password and keep it to yourself. |
|
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2002-07-31 : 18:40:59
|
| MichaelP,Just out of curiosity, where do you put the connection string in COM+?I use the Constructor via the IObjectConstruct interface.DavidM"SQL-3 is an abomination.." |
|
|
|
MichaelP
Jedi Yak
2489 Posts |
Posted - 2002-07-31 : 18:53:10
|
| byrmol, That's how we do it too :)Rob, Thanks for the tips!Michael<Yoda>Use the Search page you must. Find the answer you will. |
|
|
|
byrmol
Shed Building SQL Farmer
1591 Posts |
Posted - 2002-07-31 : 19:30:20
|
| Thanks for the response Michael.I ask because some like the registry or .ini files...DavidM"SQL-3 is an abomination.." |
|
|
|
jasper_smith
SQL Server MVP & SQLTeam MVY
846 Posts |
Posted - 2002-08-01 : 04:04:50
|
| Remember that just because you are using stored procedures you can't assume no threat from SQL Injection although using the ADO command object helps (AFAIK no exploits but still validate all input), if you dynamically construct the SQL string to call the stored procedure then there is still a risk.[url]http://www.nextgenss.com/papers/advanced_sql_injection.pdf[/url][url]http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf[/url]HTHJasper Smith |
|
|
|
|
|
|
|
|
Locking down public SQL Server