Connecting to DB with the 'machine' account

[josef]

This seems like a bad idea, but I'm having trouble identifying why.
With an ASP.NET application I am using Windows Integrated
Authentication. The aspnet_wp.exe runs as 'machine' per the
processModel element in machine.config. By creating a domain\machine$
user in the database, I can successfully connect to the database.

So in my case the domain is flintstone and the web server is fred. By
adding the flintstone\fred$ user to the database, any .NET process
running on the web server can connect to the database. It seems like
I'm opening the database up for malicous attacks from a rogue process
on the web server.

By moving from integrated security in the connection string to an
explicit user/pwd I appear to have more control over what processes can
access the database.

What are your thoughts about this?

 

[Eliyahu Goldin]

True.

Eliyahu

 

[Guest]

By specifying explicity user/pwd you are enabling someone to discover a
username and password which can be used from any other server to connect to
the SQL Server. Moreover making the passwords of a user known to anyone who
opens up a file ( I am assuming this is in the web.config) is not a very good
idea, intuitively.

On the machine account side, you are sure of one thing that the machine is a
member of the active directory, which itself is a certain level of security.
Also generally machine accounts are given access to a database when both the
web server as well as the DB server are in the your (or support team's)
control and nobody else has physical access to those boxes.

My 2 cents!!