What's the preferred (best practice) means of connecting an ASP.Net Website to a database? I doubt it's as simple as using Trusted-Connection and giving the NT-Authority accounts access.
将ASP.Net网站连接到数据库的首选(最佳实践)方法是什么?我怀疑它就像使用Trusted-Connection并给NT-Authority帐户访问一样简单。
What do y'all do? Assuming a clean install of SQL Server (2008), what do you do to configure access to the database for a website?
你们都做什么?假设SQL Server(2008)安装干净,您如何配置网站数据库的访问权限?
3 个解决方案
#1
I usually run ASP.NET app pool as a separate account (not NT AUTHORITY\NETWORK SERVICE
) and use Windows authentication to access the SQL Server. This method has the advantage of not storing the password in config files.
我通常将ASP.NET应用程序池作为单独的帐户(而不是NT AUTHORITY \ NETWORK SERVICE)运行,并使用Windows身份验证来访问SQL Server。此方法的优点是不将密码存储在配置文件中。
Steps:
- Create a user account to run your ASP.NET application on.
- Create an application pool in IIS and run it on the created account.
- Assign NTFS permissions that your application needs to the account.
- Grant permission to login on SQL Server.
- Assign the appropriate database roles to the created login.
创建用户帐户以运行ASP.NET应用程序。
在IIS中创建应用程序池并在创建的帐户上运行它。
将应用程序所需的NTFS权限分配给该帐户。
授予在SQL Server上登录的权限。
将相应的数据库角色分配给创建的登录名。
This will work for many apps. For more complex security environments, you might need more sophisticated strategies.
这适用于许多应用程序。对于更复杂的安全环境,您可能需要更复杂的策略。
#2
I used to use trusted connections, but ended up feeling that that sometimes I ended up having to grant too many privileges to the service account used for the connection/app pool. Now I use SQL Server accounts and set up the application to encrypt the connection strings during Application_Start if they aren't already encrypted. In fact I encrypt any section that may contain user credentials. I use an appSetting to determine whether the encryption code runs so I don't encrypt my settings in the development environment.
我曾经使用过可信连接,但最终感觉有时我最终不得不为用于连接/应用程序池的服务帐户授予太多权限。现在我使用SQL Server帐户并设置应用程序以在Application_Start期间加密连接字符串(如果它们尚未加密)。实际上,我加密了可能包含用户凭据的任何部分。我使用appSetting来确定加密代码是否运行,因此我不会在开发环境中加密我的设置。
#3
I also use SQL Server accounts, just find it simpler to do and to troubleshoot.
我也使用SQL Server帐户,只是发现它更容易做和排除故障。
#1
I usually run ASP.NET app pool as a separate account (not NT AUTHORITY\NETWORK SERVICE
) and use Windows authentication to access the SQL Server. This method has the advantage of not storing the password in config files.
我通常将ASP.NET应用程序池作为单独的帐户(而不是NT AUTHORITY \ NETWORK SERVICE)运行,并使用Windows身份验证来访问SQL Server。此方法的优点是不将密码存储在配置文件中。
Steps:
- Create a user account to run your ASP.NET application on.
- Create an application pool in IIS and run it on the created account.
- Assign NTFS permissions that your application needs to the account.
- Grant permission to login on SQL Server.
- Assign the appropriate database roles to the created login.
创建用户帐户以运行ASP.NET应用程序。
在IIS中创建应用程序池并在创建的帐户上运行它。
将应用程序所需的NTFS权限分配给该帐户。
授予在SQL Server上登录的权限。
将相应的数据库角色分配给创建的登录名。
This will work for many apps. For more complex security environments, you might need more sophisticated strategies.
这适用于许多应用程序。对于更复杂的安全环境,您可能需要更复杂的策略。
#2
I used to use trusted connections, but ended up feeling that that sometimes I ended up having to grant too many privileges to the service account used for the connection/app pool. Now I use SQL Server accounts and set up the application to encrypt the connection strings during Application_Start if they aren't already encrypted. In fact I encrypt any section that may contain user credentials. I use an appSetting to determine whether the encryption code runs so I don't encrypt my settings in the development environment.
我曾经使用过可信连接,但最终感觉有时我最终不得不为用于连接/应用程序池的服务帐户授予太多权限。现在我使用SQL Server帐户并设置应用程序以在Application_Start期间加密连接字符串(如果它们尚未加密)。实际上,我加密了可能包含用户凭据的任何部分。我使用appSetting来确定加密代码是否运行,因此我不会在开发环境中加密我的设置。
#3
I also use SQL Server accounts, just find it simpler to do and to troubleshoot.
我也使用SQL Server帐户,只是发现它更容易做和排除故障。