hi
how much overhead
or performance i lose
with the next configuration ? :
1- IIS starts the USER_X.asp page
[ with exec permissions for IUSR ]
2- USER_X.asp creates an out-of-proc object called PROXY_X
[ PROXY_X runs under a PROFILE_X account ]
[ IWAM has exec permissons for PROXY_X ]
3- USER_X.asp invoke "sp_userx_..." stored procedures thru PROXY_X
[ PROXY_X has exec permissions for "sp_userx_..." ]
4- and the same again for every user type x, y, z
it has not the big scalability
but its enough in my case
this is intended for security reasons
i neer to know your opinions about
this configuration please
thanks 7 1380
Re: security : a good approach ?
yes, it's a good one. But seldomly it is needed, to protect your SQL server
against IUSR_x and against IIS using COM+ impersonation.
COM+ impersonation in fact, never is recommended to increase security, it is
used to have IUSR_x doing things on ACTive Directory, (for instance) that
IUSR_ is not allowed to do.
ja, good
(& excuse me to the news for the twin post)
i must run stored proc on sql srv
under different roles
but the logon is always IUSR_...
i understand IUSR_ will be a less permisive account
just capable of make a connection,
then how can i map from that connection
to the specific sql role?
i will need to exec an st.proc.
giving the user type and then
(i don't know how) restrict or permit
permissions for concerned st.proc. ...
but does it is secure?
anyway, how can i shift to the corresponding role?
thanks again
"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> escribió en el
mensaje news:eJ****************@tk2msftngp13.phx.gbl... Re: security : a good approach ?
yes, it's a good one. But seldomly it is needed, to protect your SQL
server against IUSR_x and against IIS using COM+ impersonation.
COM+ impersonation in fact, never is recommended to increase security, it
is used to have IUSR_x doing things on ACTive Directory, (for instance) that IUSR_ is not allowed to do.
"Hernán Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message
news:uC**************@TK2MSFTNGP12.phx.gbl... ja, good (& excuse me to the news for the twin post)
i must run stored proc on sql srv under different roles but the logon is always IUSR_...
i understand IUSR_ will be a less permisive account just capable of make a connection, then how can i map from that connection to the specific sql role? i will need to exec an st.proc. giving the user type and then (i don't know how) restrict or permit permissions for concerned st.proc. ... but does it is secure? anyway, how can i shift to the corresponding role?
you cannot really use SQL server roles if you impersonate. But if you
disable impersonation through a single user (IUSR_ or a COM+ user), resource
pooling is disabled.
The best is to create your own roles. If you switch to ASP.NET, this is
**very** easy using forms authentication.
thanks again
"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> escribió en
el mensaje news:eJ****************@tk2msftngp13.phx.gbl... Re: security : a good approach ?
yes, it's a good one. But seldomly it is needed, to protect your SQL server against IUSR_x and against IIS using COM+ impersonation.
COM+ impersonation in fact, never is recommended to increase security,
it is used to have IUSR_x doing things on ACTive Directory, (for instance)
that IUSR_ is not allowed to do.
well, i say
without using COM+ objects
and ...trusting in the IUSR .......
unafortunately i can't move to .net
"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> escribió en el
mensaje news:e4*************@TK2MSFTNGP12.phx.gbl... "Hernán Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message news:uC**************@TK2MSFTNGP12.phx.gbl... ja, good (& excuse me to the news for the twin post)
i must run stored proc on sql srv under different roles but the logon is always IUSR_...
i understand IUSR_ will be a less permisive account just capable of make a connection, then how can i map from that connection to the specific sql role? i will need to exec an st.proc. giving the user type and then (i don't know how) restrict or permit permissions for concerned st.proc. ... but does it is secure? anyway, how can i shift to the corresponding role? you cannot really use SQL server roles if you impersonate. But if you disable impersonation through a single user (IUSR_ or a COM+ user),
resource pooling is disabled. The best is to create your own roles. If you switch to ASP.NET, this is **very** easy using forms authentication.
thanks again
"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> escribió en el mensaje news:eJ****************@tk2msftngp13.phx.gbl... Re: security : a good approach ?
yes, it's a good one. But seldomly it is needed, to protect your SQL server against IUSR_x and against IIS using COM+ impersonation.
COM+ impersonation in fact, never is recommended to increase security, it is used to have IUSR_x doing things on ACTive Directory, (for instance) that IUSR_ is not allowed to do.
"Hernán Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message
news:eE**************@TK2MSFTNGP12.phx.gbl... well, i say without using COM+ objects and ...trusting in the IUSR .......
unafortunately i can't move to .net
This means that you'll have to create your own roles in a separate table. It
is not that hard to do...
Success
hi
i don't understand well
those "in a separate table"
did you mean "in a separate dbs"?
can you explain me a bit more
or post a link
thanks again
"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> escribió en el
mensaje news:%2****************@tk2msftngp13.phx.gbl... "Hernán Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message news:eE**************@TK2MSFTNGP12.phx.gbl... well, i say without using COM+ objects and ...trusting in the IUSR .......
unafortunately i can't move to .net This means that you'll have to create your own roles in a separate table.
It is not that hard to do...
Success
"Hernán Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message
news:%2***************@TK2MSFTNGP11.phx.gbl... hi i don't understand well those "in a separate table"
Create a new SQL server table
for instance
roles
roleId
name
and a table named
users
userId
password
name
and a third table
userroles
userroleid
userId
roleId
Then you need some stored procedures, that handle login and member ship
checks.
etcetera.
Maybe www.sourceforge.org has some samples...
did you mean "in a separate dbs"? can you explain me a bit more or post a link
thanks again
"Egbert Nierop (MVP for IIS)" <eg***********@nospam.invalid> escribió en
el mensaje news:%2****************@tk2msftngp13.phx.gbl... "Hernán Castelo" <hc******@cedi.frba.utn.edu.ar> wrote in message news:eE**************@TK2MSFTNGP12.phx.gbl... well, i say without using COM+ objects and ...trusting in the IUSR .......
unafortunately i can't move to .net This means that you'll have to create your own roles in a separate
table. It is not that hard to do...
Success
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: craig |
last post by:
I am working on my first .NET development project that involves custom
role-based security per the project requirements. This lead to a general
design issue this week that really caused us some...
|
by: A.M. |
last post by:
Hi at all,
how can I do to insert into a HTML page a file .txt stored in the same
directory of the server where is the html file that must display the text
file.txt?
Thank you very much
P.Pietro
|
by: rjames.clarke |
last post by:
I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in...
|
by: Mike MacSween |
last post by:
S**t for brains strikes again!
Why did I do that? When I met the clients and at some point they vaguely
asked whether eventually would it be possible to have some people who could
read the data...
|
by: Lyle Fairfield |
last post by:
There is an MS-SQL table named Bugs_Comments_and_Suggestions.
There is a form named Bugs_Comments_and_Suggestions.
To allow John Doe to use this form, we GRANT him LOGIN and ACCESS permissions...
|
by: Will |
last post by:
I am looking at using a table with user names, passwords and user rights,
which I would administer. I have read a lot about the shortfalls of this
and the lack of security but the customer does...
|
by: Marina |
last post by:
Hi,
I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this is...
|
by: Henrik Skak Pedersen |
last post by:
Hi,
I have a set up where a windows client connects to a web service to retrieve
a license file. The client is a consumer product which is beeing distributed
to multiple locations.
1) I would...
|
by: yawnmoth |
last post by:
A particular web hosting company decided to install phpsuexec on all
their webservers, citing security considerations. My question is...
is it really more secure?
Without phpsuexec, if a PHP...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |