Secure Data Access for ASP. NET applications and Web Services

To access a remote database using Windows authentication from an ASP. NET application, use the following methods:

• Use the default ASP. NET process account. By creating an image account with the same user name and password on the database server, you can use the default ASP. NET process account. On Windows 2000, the default process account is ASPNET. On Windows Server 2003, the default process account is NetworkService.

The disadvantage of using a local account is that you can access creden。 if you can dump the SAM Database (requires administrative privileges. The main advantage is that local accounts can be defined by specific servers, which is difficult to implement when using domain accounts.
 
• Run ASP. NET with the smallest privileged domain account. This method can simplify management, which means that you do not need to synchronize the password of the image account. If the Web server and database server are in an independent non-trusted domain, or the firewall separates the two servers, and the firewall does not allow Windows authentication to use the required port, you cannot use this method.
 
• Simulate an anonymous Web account.
If form or Passport authentication is used, you can simulate an anonymous Web account (the default account is IUSR_MACHINE) and create an image account on the database server. You can use this method to deploy multiple Web applications on the same Web server. You can use IIS to configure different anonymous accounts for the virtual directory of each application.

On Windows Server 2003, you can run multiple applications in an independent working process, use the IIS 6.0 application pool, and configure an independent ID for each application pool.
 
Configure data access permissions for ASP. NET Applications

Either method is used, the application account in the database should be restricted. To perform this operation, create an SQL Server logon for the account, grant it the access permission to the required database, and then restrict its permissions so that it can only access the required minimum database objects. Ideally, you should restrict permissions so that you can only access stored procedures used by applications or Web Services.

The following process assumes that you are using an image local account, but you can use the same method for domain accounts to limit the account's capabilities in the database.

• Configure database access permissions for ASP. NET Applications

1.
Use computer management tools to change the password of the local ASPNET account on the Web server to a known strong password.
To create an image account on the database server, you must perform this operation.
 
2.
In Machine. config, modify the password attribute on the <processModel> element so that the ASP. NET workflow continues to run with the ASPNET account. Use Aspnet_setreg.exe to store encrypted creden in the registry.
 
3.
Use the same name (ASPNET) and strong password to create a local account on the database server.
 
4.
Create a local Windows Group (such as ASPNETWebApp) on the database server and add the local ASPNET account to the group.
 
5.
Create a new logon and grant the SQL Server access permission to the Windows Group as follows:

Sp_grantlogin 'machine \ aspnetwebapp'
Note: Replace the MACHINE with the database server name.
 
6.
Grant the database access permission for SQL logon. The following T-SQL creates the database user WebAppUser associated with the login.

USE YourDatabase GOsp_grantdbaccess 'machine \ aspnetwebapp', 'webappuser'
7.
Create a user-defined database role.

USE YourDatabaseGOsp_addrole 'webappuserrole'
8.
Add a database user to a new database role.

USE YourDatabaseGO sp_addrolemember 'webappuserrole', 'webappuser'
9.
Configure database permissions for database roles. Ideally, only the execution permission is granted to the stored procedure used by the application to query the database, but the table access permission is not provided.

Grant execute on sprocname to WebAppUserRole
 

From: constanding blog