Security issues with IIS, ASP.net, and SQL Server
SQL Server, Internet Information Server, and the ASP.net engine all provide a solid and reliable security model that works well together. To ensure user data and application security, Microsoft also sets a fairly low value for the default settings for each service. The challenge for most developers is to use SQL Server, IIS, and asp.net to set the appropriate level of trust between applications and data without leaving a security vulnerability that others can easily hack into. Because of the three types of services involved (SQL Server, IIS, and ASP.) NET), three key steps are required to ensure the security of the solution. This section discusses a more common (and reliable) way to set sufficient permissions and trust levels for WEB applications.
Note: For the big topic of security and WEB solutions, this series of articles makes it difficult to start a more thorough discussion. To better understand this issue and possible solutions, see the Security asp.net application creation pattern and Practice series articles: Authentication, authorization, and secure communication.
Defines the DotNetKB custom IIS user account.
The safest way to secure a Web application is to define a custom user with limited permissions and then configure IIS to run as a custom user when executing your Web application. This is fairly easy to implement, ensuring that every visitor who accesses your WEB application has only the permissions you want them to have.
The first step is to build a new Windows user (called DotNetKB in this case), set an enhanced password for it, and then add it to the Windows Guest Group (guest Windows group). Also, make sure that the Password never expires (password never expires) and user cannot change Password (user cannot alter password) check box are checked. This generates a user with limited permissions that you can use as an identity when you run your WEB application in IIS (see Figure 7).
Figure 7: User with limited permissions generated
Then, call the Internet Information Server administrator and select the Web application that hosts the pages. In this example, you can choose to host the Web application (Dotnetkb_website) that hosts the test pages that were generated in the previous article. Right-click on the Web application in the tree view and select Properties from the context-related menu ... (Properties ... )。 Then select Directory Security and click the dialog box to Anonymous the Edit button in the Access and authentication control (anonymous access and validation controls) section. Finally, enter the custom user name (DotNetKB), deselect the Allow IIS to control password (allow IIS for password) check box, and enter the password for the custom user account. After you complete all of these tasks, click the OK button to save the changes to the IIS metabase (see Figure 8).
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
