Home > Blogs > Web Applications and SQL Server

Web Applications and SQL Server

By  Sep 14, 2007

Topics: Data

I responded to an interesting post this morning on a newsgroup regarding the ISUER account and SQL Server. If you're using SQL Server behind a web applicaiton, you have many options when you connect to a database.

One of those options I've seen in the field is to use Windows security and then use the IUSER account, which is one of the built-in accounts that Internet Information Server (IIS) uses.

I don't recommend this approach. Although it's a simple thing to set up and use, you lose the ability to track what an individual is doing, and you have to grant more rights to the account than a particular user really needs.

I think a better approach is to set up a "middle-tier" and use it to access the database, especially if your database is on the corporate side of the DMZ. Another approach is to use application roles to access the database on the user's behalf, and then record the user name and access time in a tracking table that you control. As I said, there are a lot of opotions.

I found a pretty good discussion of web application design at the Windows Security site here: http://www.windowsecurity.com/articles/Secure_Architecture_SQL_Web_Server.html.

And of course, don't miss my security entries here at InformIT.

Become an InformIT Member

Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.