If SQL server authentication is used, the User ID and password are embedded in the connection string, but the connection string is stored in encrypted form (using DPAPI) in web.config. If Windows authentication is used, the user’s credentials are not included in the connection string; the connection string is still encrypted hiding the database server’s IP address, port number, etc.
Windows authentication is the preferred method from security point of view because this mode does not transmit the user’s credentials over the network. In order for Windows authentication to work, a mirrored ASPNET process account must be created as a local Windows account with the same name and password on the database server. ASPNET is a least privileged account created at the time of installing .NET Framework on the web server. By default, all ASP.NET applications run under the security context of this account. After creating the account in Windows, create a SQL Server log in for the account and grant it access to Web Plus database.
It is recommended that the SQL Server listen on a port number different from the default port, 1433. This port then should be opened in the internal firewall to allow web server to access the database.
|
