hi
how much overhead
or performance i lose
with the next configuration ? :

1- IIS starts the USER_X.asp page
[ with exec permissions for IUSR ]
2- USER_X.asp creates an out-of-proc object called PROXY_X
[ PROXY_X runs under a PROFILE_X account ]
[ IWAM has exec permissons for PROXY_X ]
3- USER_X.asp invoke "sp_userx_..." stored procedures thru PROXY_X
[ PROXY_X has exec permissions for "sp_userx_..." ]
4- and the same again for every user type x, y, z

it has not the big scalability
but its enough in my case

this is intended for security reasons
i neer to know your opinions about
this configuration please

thanks

Re: security : a good approach ?

yes, it's a good one. But seldomly it is needed, to protect your SQL server
against IUSR_x and against IIS using COM+ impersonation.

COM+ impersonation in fact, never is recommended to increase security, it is
used to have IUSR_x doing things on ACTive Directory, (for instance) that
IUSR_ is not allowed to do.

ja, good
(& excuse me to the news for the twin post)

i must run stored proc on sql srv
under different roles
but the logon is always IUSR_...

i understand IUSR_ will be a less permisive account
just capable of make a connection,
then how can i map from that connection
to the specific sql role?
i will need to exec an st.proc.
giving the user type and then
(i don't know how) restrict or permit
permissions for concerned st.proc. ...
but does it is secure?
anyway, how can i shift to the corresponding role?

thanks again


"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> escribió en el
mensaje news:eJReA%23eTEHA.3016@tk2msftngp13.phx.gbl...[color=blue]
> Re: security : a good approach ?
>
> yes, it's a good one. But seldomly it is needed, to protect your SQL[/color]
server[color=blue]
> against IUSR_x and against IIS using COM+ impersonation.
>
> COM+ impersonation in fact, never is recommended to increase security, it[/color]
is[color=blue]
> used to have IUSR_x doing things on ACTive Directory, (for instance) that
> IUSR_ is not allowed to do.
>[/color]

"Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
news:uCuqB0iTEHA.2416@TK2MSFTNGP12.phx.gbl...[color=blue]
> ja, good
> (& excuse me to the news for the twin post)
>
> i must run stored proc on sql srv
> under different roles
> but the logon is always IUSR_...
>
> i understand IUSR_ will be a less permisive account
> just capable of make a connection,
> then how can i map from that connection
> to the specific sql role?
> i will need to exec an st.proc.
> giving the user type and then
> (i don't know how) restrict or permit
> permissions for concerned st.proc. ...
> but does it is secure?
> anyway, how can i shift to the corresponding role?[/color]

you cannot really use SQL server roles if you impersonate. But if you
disable impersonation through a single user (IUSR_ or a COM+ user), resource
pooling is disabled.
The best is to create your own roles. If you switch to ASP.NET, this is
**very** easy using forms authentication.
[color=blue]
> thanks again
>
>
> "Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> escribió en[/color]
el[color=blue]
> mensaje news:eJReA%23eTEHA.3016@tk2msftngp13.phx.gbl...[color=green]
> > Re: security : a good approach ?
> >
> > yes, it's a good one. But seldomly it is needed, to protect your SQL[/color]
> server[color=green]
> > against IUSR_x and against IIS using COM+ impersonation.
> >
> > COM+ impersonation in fact, never is recommended to increase security,[/color][/color]
it[color=blue]
> is[color=green]
> > used to have IUSR_x doing things on ACTive Directory, (for instance)[/color][/color]
that[color=blue][color=green]
> > IUSR_ is not allowed to do.
> >[/color]
>
>[/color]

well, i say
without using COM+ objects
and ...trusting in the IUSR .......

unafortunately i can't move to .net

"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> escribió en el
mensaje news:e46279jTEHA.760@TK2MSFTNGP12.phx.gbl...[color=blue]
> "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
> news:uCuqB0iTEHA.2416@TK2MSFTNGP12.phx.gbl...[color=green]
> > ja, good
> > (& excuse me to the news for the twin post)
> >
> > i must run stored proc on sql srv
> > under different roles
> > but the logon is always IUSR_...
> >
> > i understand IUSR_ will be a less permisive account
> > just capable of make a connection,
> > then how can i map from that connection
> > to the specific sql role?
> > i will need to exec an st.proc.
> > giving the user type and then
> > (i don't know how) restrict or permit
> > permissions for concerned st.proc. ...
> > but does it is secure?
> > anyway, how can i shift to the corresponding role?[/color]
>
> you cannot really use SQL server roles if you impersonate. But if you
> disable impersonation through a single user (IUSR_ or a COM+ user),[/color]
resource[color=blue]
> pooling is disabled.
> The best is to create your own roles. If you switch to ASP.NET, this is
> **very** easy using forms authentication.
>[color=green]
> > thanks again
> >
> >
> > "Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> escribió en[/color]
> el[color=green]
> > mensaje news:eJReA%23eTEHA.3016@tk2msftngp13.phx.gbl...[color=darkred]
> > > Re: security : a good approach ?
> > >
> > > yes, it's a good one. But seldomly it is needed, to protect your SQL[/color]
> > server[color=darkred]
> > > against IUSR_x and against IIS using COM+ impersonation.
> > >
> > > COM+ impersonation in fact, never is recommended to increase security,[/color][/color]
> it[color=green]
> > is[color=darkred]
> > > used to have IUSR_x doing things on ACTive Directory, (for instance)[/color][/color]
> that[color=green][color=darkred]
> > > IUSR_ is not allowed to do.
> > >[/color]
> >
> >[/color]
>[/color]

"Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
news:eEJLAzmTEHA.2416@TK2MSFTNGP12.phx.gbl...[color=blue]
> well, i say
> without using COM+ objects
> and ...trusting in the IUSR .......
>
> unafortunately i can't move to .net[/color]

This means that you'll have to create your own roles in a separate table. It
is not that hard to do...

Success

hi
i don't understand well
those "in a separate table"
did you mean "in a separate dbs"?
can you explain me a bit more
or post a link

thanks again

"Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> escribió en el
mensaje news:%235B8ePoTEHA.3140@tk2msftngp13.phx.gbl...[color=blue]
> "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
> news:eEJLAzmTEHA.2416@TK2MSFTNGP12.phx.gbl...[color=green]
> > well, i say
> > without using COM+ objects
> > and ...trusting in the IUSR .......
> >
> > unafortunately i can't move to .net[/color]
>
> This means that you'll have to create your own roles in a separate table.[/color]
It[color=blue]
> is not that hard to do...
>
> Success
>[/color]

"Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
news:%23AUqpG9TEHA.716@TK2MSFTNGP11.phx.gbl...[color=blue]
> hi
> i don't understand well
> those "in a separate table"[/color]

Create a new SQL server table
for instance

roles
roleId
name
and a table named

users
userId
password
name
and a third table

userroles
userroleid
userId
roleId


Then you need some stored procedures, that handle login and member ship
checks.
etcetera.
Maybe www.sourceforge.org has some samples...


[color=blue]
> did you mean "in a separate dbs"?
> can you explain me a bit more
> or post a link
>
> thanks again
>
> "Egbert Nierop (MVP for IIS)" <egbert_nierop@nospam.invalid> escribió en[/color]
el[color=blue]
> mensaje news:%235B8ePoTEHA.3140@tk2msftngp13.phx.gbl...[color=green]
> > "Hernán Castelo" <hcastelo@cedi.frba.utn.edu.ar> wrote in message
> > news:eEJLAzmTEHA.2416@TK2MSFTNGP12.phx.gbl...[color=darkred]
> > > well, i say
> > > without using COM+ objects
> > > and ...trusting in the IUSR .......
> > >
> > > unafortunately i can't move to .net[/color]
> >
> > This means that you'll have to create your own roles in a separate[/color][/color]
table.[color=blue]
> It[color=green]
> > is not that hard to do...
> >
> > Success
> >[/color]
>
>[/color]