securing data access via website

[DC Gringo]

I would like to use anonymous access for a public access, Win2k/IIS website.

The database, however, should be accessed via a secured, strong-password
domain user account "company\ouraspnetuser". This database is on another
physical Windows 2k server. I've looked into UDL, DPAPI, and sync'd local
ASPNET account passwords and am not terribly convinced of any of them. I'm
not using OLEDB so I can't use UDL. For bureaucratic reasons I can't use
sync'd ASPNET accounts on all the network resources my application needs to
access. DPAPI seems to be the way to go, but it seems outlandishly
complicated to implement--unless of course I haven't found a good reference.

Could someone point me in the right direction and/or comment on another
possible solution?


_____
DC G

 

[Paul Glavich]

You could try putting a data access component into COM+ (as a serviced
component), define the identity of the package/component as your preferred
username/strong password, so that the COM+ component runs under the defined
strong identity and access the DB that way via integrated security, and your
app would simply interface with that component.

HTH

 

[DC Gringo]

Got any good references on that?

_____
DC G

You could try putting a data access component into COM+ (as a serviced
component), define the identity of the package/component as your preferred
username/strong password, so that the COM+ component runs under the defined
strong identity and access the DB that way via integrated security, and your
app would simply interface with that component.

HTH

 

[Alek Davis]

DC,

Check out this article: "Protect It: Safeguard Database Connection Strings
and Other Sensitive Settings in Your Code" article
(http://msdn.microsoft.com/msdnmag/issues/03/11/ProtectYourData/). It
addresses some of your questions and has relevant references.

Alek