Just curious as to best practice for managing db access from an asp.net web application. We were currently putting the username and password in the web.config, but this wasn't good enough internal security (obviously), so I decided to use a windows domain user instead by modifying the web.config to use windows domain, and then adding the user to the app pool identity. This all works fine, but what happens when the domain user's password changes? Does that mean that all the webapps that use this user's identity in app pool will require the password change too? This would be an IT nightmare. Does anyone have suggestions on best approach for allowing webapp to access database without exposing password and without having to update passwords in all webapps if the password changes? Thanks
只是对从asp.net Web应用程序管理数据库访问的最佳实践感到好奇。我们当前在web.config中输入了用户名和密码,但是内部安全性(显然)不够好,所以我决定使用Windows域用户而不是通过修改web.config来使用windows域,然后将用户添加到应用程序池标识。这一切都很好,但是当域用户的密码更改时会发生什么?这是否意味着在应用程序池中使用此用户身份的所有Web应用程序也需要更改密码?这将是一场IT噩梦。有没有人有关于允许webapp访问数据库而不暴露密码的最佳方法的建议,如果密码更改,无需更新所有webapps中的密码?谢谢
2 个解决方案
#1
1
A better solution would be to set up a separate app pool that is set up with a service account that has full access to the database restart the web app after selecting the new app pool and use integrated security.
更好的解决方案是设置一个单独的应用程序池,该应用程序池设置有一个服务帐户,该服务帐户在选择新的应用程序池并使用集成安全性后,可以完全访问数据库,从而重新启动Web应用程序。
Use a very strong ( and lengthy ) password and set the account to password does not expire and user can not change password.
使用非常强(和冗长)的密码并将帐户设置为密码不会过期,用户无法更改密码。
This prevents using clear text in the web.config files.
这可以防止在web.config文件中使用明文。
#2
0
I would recommend using SQL Mixed-mode Authentication and using a SQL account for your app. The username and password in the web.config and encrypt that section of the config file.
我建议使用SQL混合模式身份验证并为您的应用程序使用SQL帐户。 web.config中的用户名和密码,并加密配置文件的该部分。
Here is some information about configuration encryption.
以下是有关配置加密的一些信息。
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx
#1
1
A better solution would be to set up a separate app pool that is set up with a service account that has full access to the database restart the web app after selecting the new app pool and use integrated security.
更好的解决方案是设置一个单独的应用程序池,该应用程序池设置有一个服务帐户,该服务帐户在选择新的应用程序池并使用集成安全性后,可以完全访问数据库,从而重新启动Web应用程序。
Use a very strong ( and lengthy ) password and set the account to password does not expire and user can not change password.
使用非常强(和冗长)的密码并将帐户设置为密码不会过期,用户无法更改密码。
This prevents using clear text in the web.config files.
这可以防止在web.config文件中使用明文。
#2
0
I would recommend using SQL Mixed-mode Authentication and using a SQL account for your app. The username and password in the web.config and encrypt that section of the config file.
我建议使用SQL混合模式身份验证并为您的应用程序使用SQL帐户。 web.config中的用户名和密码,并加密配置文件的该部分。
Here is some information about configuration encryption.
以下是有关配置加密的一些信息。
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx
http://msdn.microsoft.com/en-us/library/zhhddkxy(v=vs.100).aspx