SQL Server, IIS, and ASP. NET Security Configuration

Http://www.webjx.com/server/windows-5808_2.html

SQL Server, Internet Information Server, and ASP. net engine all provide solid and reliable security models that can work together well. To ensure user data and applicationsProgramMicrosoft also sets a very low value for the default settings of each service.

Most developers face the challenge of using SQL Server, IIS, and ASP.. Net sets an appropriate level of trust between applications and data, without leaving security vulnerabilities that can be easily attacked by others. Because three types of services (SQL Server, IIS, and ASP. NET) are involved, three key steps are required to ensure the security of the solution. This section describes a more common (and reliable) method for setting sufficient permissions and trust levels for Web applications.

Define dotnetkb custom IIS user account

The safest way to ensure the security of web applications is to define a Custom User with limited permissions and then configure IIS, this allows you to run your web application as a Custom User. This is quite easy to implement and ensures that every visitor accessing your web application has only the permissions you want them to have.

The first step is to generate a new Windows user (called dotnetkb in this example), set an enhanced password for it, and add it to the Windows Guest group (guest Windows Group. At the same time, make sure that the check boxes of password never expires (password never expires) and user cannot change password (the user cannot change the password) are selected. This will generate a user with limited permissions. When running your web application in IIS, you can use it as an identifier (see figure 1 ).

Then, call the Internet Information Server administrator and select the web application that hosts these webpages. In this example, you can select the web application (dotnetkb_website) that hosts the test page generated above ). Right-click the web application in the tree view, and select properties... from the context menu ...). Select Directory Security and click the edit button in the anonymous access and authentication control (anonymous access and authentication control) section of the dialog box. Finally, enter the user name (dotnetkb), deselect the allow IIS to control password check box, and enter the password of the user account. Click OK to save the changes to the IIS configuration database (see figure 2 ).

 

 

In this case, IIS runs under a custom account with limited permissions. When a visitor accesses a webpage of your application, it runs as a user and has only the authentication permission of the user.

Authorize dotnetkb user account to access SQL Server

Then, you must grant the user the corresponding permissions to access the database (dotnetkb. To this end, you can use Microsoft SQL Server Enterprise Manager or write a custom script to create such a user and grant it access to a specific object. This article describes how to use the SQL Server Enterprise Manager to complete this operation.

Note: Although Visual Studio. NET 2003 has many powerful integration functions compatible with SQL Server, it does not allow easy management of user and user permissions from Visual Studio. NET 2003. In large organizations and teams, these advanced tasks are usually completed by the database administrator. Therefore, after you start the SQL Server Enterprise Manager, you can add a user (dotnetkb) to the database by following these steps.

· In the Tree View on the left, expand the node to display the dotnetkb database. On my computer, the tree view structure is as follows: Console Root SQL Server group (local) (Windows NT) Databases dotnetkb.

· Then, right-click the users (User) node under the database and select new database user ...). When the "Database User properties-new user" dialog box is displayed, select <New> from the login name drop-down list ).

· When the SQL Server login properties-New Login Dialog Box is displayed, select the General tab and enter dotnetkb In the Name field. Make sure that the Windows authentication (Windows Authentication) radio button is selected, and select the name of the computer where the custom user account is located from the domain drop-down box. Select dotnetkb from the database drop-down list.

· Now, select the databases tab, find the dotnetkb database in the list at the top of the dialog box, and select it. Then, make sure that the public role in the list at the bottom of the selected dialog box is selected. Finally, click OK at the bottom of the dialog box to save your changes.

Then, you need to add execution permissions for all stored procedures and user-defined functions in the dotnetkb database. To do this, you only need to grant permissions to the public role. You can grant the permission to the dotnetkb user, which makes it easier for these users to execute stored procedures in the future (when they obtain the permission to access dotnetkb, you do not need to add new permissions to each user.

The following are the steps to grant execution permissions for stored procedures and functions in the dotnetkb database:

· The users (User) node under the dotnetkb database in the tree view is highlighted to display the user list of the database. Find the dotnetkb user and double-click it to open the database users Properties dialog box.

· When the public role is highlighted (selected), click Properties... to open the database role Properties dialog box. Click Permissions... to display the database object and permission settings list.

· After the public role in the database role drop-down list at the top of the dialog box is selected, find all stored procedures and custom functions defined for this database (you may need to expand the dialog box to see the full name), and make sure to select the execute check box next to each item. You may find that some other check boxes of some system objects are also selected. Do not change these options.

· Finally, after setting all the execute permissions, click OK to save the changes and close the dialog box. Click OK until all the dialogs are closed.

So far, you have created a Custom User for IIS and set the corresponding permissions for the user in SQL Server. Now, you need to make a configuration change in the ASP. NET web project to ensure that ASP. net uses the same user account to execute all calls to SQL Server.

Set your ASP. NET application to simulate a dotnetkb user

Is the ASP. the last step for net web applications to generate solid and reliable configurations is: Configure ASP.. NET web application, which can accept the Windows user identity from IIS and be used to access other operating system resources. Therefore, you only need to enter a line in the web. config root file.Code.

The modified web. config file is as follows:

<Configuration>

<System. Web>

... Other elements...

<Identity impersonate = "true"/> <! -- Assume the IIS user id -->

... Other elements...

</System. Web>

</Configuration>

Note that you only need to add elements and set the simulation feature to true ). You do not need to enter the user account or password because the information will be provided by IIS. That is to say, even if others can read your configuration file, they cannot determine which identity creden。 are used to execute your web application.

At this point, you have created a user and set the corresponding permissions for accessing SQL Server and IIS.