By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,498 Members | 1,564 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,498 IT Pros & Developers. It's quick & easy.

Connecting to DB with the 'machine' account

P: n/a
This seems like a bad idea, but I'm having trouble identifying why.
With an ASP.NET application I am using Windows Integrated
Authentication. The aspnet_wp.exe runs as 'machine' per the
processModel element in machine.config. By creating a domain\machine$
user in the database, I can successfully connect to the database.

So in my case the domain is flintstone and the web server is fred. By
adding the flintstone\fred$ user to the database, any .NET process
running on the web server can connect to the database. It seems like
I'm opening the database up for malicous attacks from a rogue process
on the web server.

By moving from integrated security in the connection string to an
explicit user/pwd I appear to have more control over what processes can
access the database.

What are your thoughts about this?

Nov 19 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
True.

Eliyahu

<jo***@wainz.net> wrote in message
news:11**********************@o13g2000cwo.googlegr oups.com...
This seems like a bad idea, but I'm having trouble identifying why.
With an ASP.NET application I am using Windows Integrated
Authentication. The aspnet_wp.exe runs as 'machine' per the
processModel element in machine.config. By creating a domain\machine$
user in the database, I can successfully connect to the database.

So in my case the domain is flintstone and the web server is fred. By
adding the flintstone\fred$ user to the database, any .NET process
running on the web server can connect to the database. It seems like
I'm opening the database up for malicous attacks from a rogue process
on the web server.

By moving from integrated security in the connection string to an
explicit user/pwd I appear to have more control over what processes can
access the database.

What are your thoughts about this?

Nov 19 '05 #2

P: n/a
By specifying explicity user/pwd you are enabling someone to discover a
username and password which can be used from any other server to connect to
the SQL Server. Moreover making the passwords of a user known to anyone who
opens up a file ( I am assuming this is in the web.config) is not a very good
idea, intuitively.

On the machine account side, you are sure of one thing that the machine is a
member of the active directory, which itself is a certain level of security.
Also generally machine accounts are given access to a database when both the
web server as well as the DB server are in the your (or support team's)
control and nobody else has physical access to those boxes.

My 2 cents!!

"jo***@wainz.net" wrote:
This seems like a bad idea, but I'm having trouble identifying why.
With an ASP.NET application I am using Windows Integrated
Authentication. The aspnet_wp.exe runs as 'machine' per the
processModel element in machine.config. By creating a domain\machine$
user in the database, I can successfully connect to the database.

So in my case the domain is flintstone and the web server is fred. By
adding the flintstone\fred$ user to the database, any .NET process
running on the web server can connect to the database. It seems like
I'm opening the database up for malicous attacks from a rogue process
on the web server.

By moving from integrated security in the connection string to an
explicit user/pwd I appear to have more control over what processes can
access the database.

What are your thoughts about this?

Nov 19 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.