December 10, 2003 at 9:14 am
We have a web server in the DMZ that connects to a SQL DB inside the firewall. It currently uses SQL Standard authentication for connections. A recent security audit suggested that we use Windows authentication because it more secure. However, the DMZ web server is not part of our domain so we can't use a domain account for IIS. I have tried using two identical local accounts with identical passwords on the Web Server and SQL Server but have not had any success in connecting to the SQL database from IIS or from a DSN. Is it possible to authenticate from IIS to a remote SQL server using local windows accounts in this way?
Most of the articles I have read speak of using Domain accounts when using windows authentication from IIS to a remote SQL server. Would it be an even greater security hole to make the IIS server in the DMZ a domain member?
What is the common practice for attaching to a DB inside the firewall from a web server outside of firewall?
December 10, 2003 at 11:21 am
The account on the SQL Server side, is it a local account? If it's a domain account, it won't work. It sounds like you have local accounts, but just checking to be sure.
The security audit is correct, Windows auth tends to be seen as more secure... the reason the Windows auth tends to be more secure is if an attacker were able to compromise your web server, there is the possibility the attacker could find the username/password combination, especially if it's in global.asa or some similar file. Windows auth the password is encrypted in the SAM, therefore fewer worries. However, should an attacker be able to compromise the web server, there's nothing stopping said attacker from simply rewriting your code (provided it's ASP based). There's a thread in the last few days here about forcing all access through compiled objects (ActiveX) so that an attacker would not have direct access to the database. Also, if you did use SQL auth and you stored the username/password in the object, an attacker would usually have to decompile the object to get it.
No, you don't want the IIS server a member of your domain. Basically you want to ensure that should an attacker compromise your IIS server, they don't have an open invitation into your other systems. Therefore, it should remain isolated in its own workgroup.
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply