We have an old ASP application that authenticates to a SQL Server 2000 database using the IUSER account.
We are exploring the possibility of moving it to a DMZ so users can access from home. The IUSER account is being used for all database activity for this application. Is there any reason to be concerned about using IUSER as opposed to sql authentication for this tool, or any other security risks I should be wary of. Mind you there may be some sensitive information contained in the database. Thanks in advance.
I would recommend either application roles or some other security method, such as a middle-tier or at least SQL Server security to access the database rather than this user. For one thing, you can't track actions to an individual this way.
This is a good reference for what you are trying to do:
http://www.windowsecurity.com/articles/Secure_Architecture_SQL_Web_Server.html
No comments:
Post a Comment