security : a good approach ?

Discussion in 'ASP General' started by Hernán Castelo, Jun 8, 2004.

  1. hi
    how much overhead
    or performance i lose
    with the next configuration ? :

    1- IIS starts the USER_X.asp page
    [ with exec permissions for IUSR ]
    2- USER_X.asp creates an out-of-proc object called PROXY_X
    [ PROXY_X runs under a PROFILE_X account ]
    [ IWAM has exec permissons for PROXY_X ]
    3- USER_X.asp invoke "sp_userx_..." stored procedures thru PROXY_X
    [ PROXY_X has exec permissions for "sp_userx_..." ]
    4- and the same again for every user type x, y, z

    it has not the big scalability
    but its enough in my case

    this is intended for security reasons
    i neer to know your opinions about
    this configuration please

    thanks
    Hernán Castelo, Jun 8, 2004
    #1
    1. Advertising

  2. Re: security : a good approach ?

    yes, it's a good one. But seldomly it is needed, to protect your SQL server
    against IUSR_x and against IIS using COM+ impersonation.

    COM+ impersonation in fact, never is recommended to increase security, it is
    used to have IUSR_x doing things on ACTive Directory, (for instance) that
    IUSR_ is not allowed to do.
    Egbert Nierop \(MVP for IIS\), Jun 9, 2004
    #2
    1. Advertising

  3. ja, good
    (& excuse me to the news for the twin post)

    i must run stored proc on sql srv
    under different roles
    but the logon is always IUSR_...

    i understand IUSR_ will be a less permisive account
    just capable of make a connection,
    then how can i map from that connection
    to the specific sql role?
    i will need to exec an st.proc.
    giving the user type and then
    (i don't know how) restrict or permit
    permissions for concerned st.proc. ...
    but does it is secure?
    anyway, how can i shift to the corresponding role?

    thanks again


    "Egbert Nierop (MVP for IIS)" <> escribió en el
    mensaje news:eJReA%...
    > Re: security : a good approach ?
    >
    > yes, it's a good one. But seldomly it is needed, to protect your SQL

    server
    > against IUSR_x and against IIS using COM+ impersonation.
    >
    > COM+ impersonation in fact, never is recommended to increase security, it

    is
    > used to have IUSR_x doing things on ACTive Directory, (for instance) that
    > IUSR_ is not allowed to do.
    >
    Hernán Castelo, Jun 9, 2004
    #3
  4. "Hernán Castelo" <> wrote in message
    news:...
    > ja, good
    > (& excuse me to the news for the twin post)
    >
    > i must run stored proc on sql srv
    > under different roles
    > but the logon is always IUSR_...
    >
    > i understand IUSR_ will be a less permisive account
    > just capable of make a connection,
    > then how can i map from that connection
    > to the specific sql role?
    > i will need to exec an st.proc.
    > giving the user type and then
    > (i don't know how) restrict or permit
    > permissions for concerned st.proc. ...
    > but does it is secure?
    > anyway, how can i shift to the corresponding role?


    you cannot really use SQL server roles if you impersonate. But if you
    disable impersonation through a single user (IUSR_ or a COM+ user), resource
    pooling is disabled.
    The best is to create your own roles. If you switch to ASP.NET, this is
    **very** easy using forms authentication.

    > thanks again
    >
    >
    > "Egbert Nierop (MVP for IIS)" <> escribió en

    el
    > mensaje news:eJReA%...
    > > Re: security : a good approach ?
    > >
    > > yes, it's a good one. But seldomly it is needed, to protect your SQL

    > server
    > > against IUSR_x and against IIS using COM+ impersonation.
    > >
    > > COM+ impersonation in fact, never is recommended to increase security,

    it
    > is
    > > used to have IUSR_x doing things on ACTive Directory, (for instance)

    that
    > > IUSR_ is not allowed to do.
    > >

    >
    >
    Egbert Nierop \(MVP for IIS\), Jun 9, 2004
    #4
  5. well, i say
    without using COM+ objects
    and ...trusting in the IUSR .......

    unafortunately i can't move to .net

    "Egbert Nierop (MVP for IIS)" <> escribió en el
    mensaje news:...
    > "Hernán Castelo" <> wrote in message
    > news:...
    > > ja, good
    > > (& excuse me to the news for the twin post)
    > >
    > > i must run stored proc on sql srv
    > > under different roles
    > > but the logon is always IUSR_...
    > >
    > > i understand IUSR_ will be a less permisive account
    > > just capable of make a connection,
    > > then how can i map from that connection
    > > to the specific sql role?
    > > i will need to exec an st.proc.
    > > giving the user type and then
    > > (i don't know how) restrict or permit
    > > permissions for concerned st.proc. ...
    > > but does it is secure?
    > > anyway, how can i shift to the corresponding role?

    >
    > you cannot really use SQL server roles if you impersonate. But if you
    > disable impersonation through a single user (IUSR_ or a COM+ user),

    resource
    > pooling is disabled.
    > The best is to create your own roles. If you switch to ASP.NET, this is
    > **very** easy using forms authentication.
    >
    > > thanks again
    > >
    > >
    > > "Egbert Nierop (MVP for IIS)" <> escribió en

    > el
    > > mensaje news:eJReA%...
    > > > Re: security : a good approach ?
    > > >
    > > > yes, it's a good one. But seldomly it is needed, to protect your SQL

    > > server
    > > > against IUSR_x and against IIS using COM+ impersonation.
    > > >
    > > > COM+ impersonation in fact, never is recommended to increase security,

    > it
    > > is
    > > > used to have IUSR_x doing things on ACTive Directory, (for instance)

    > that
    > > > IUSR_ is not allowed to do.
    > > >

    > >
    > >

    >
    Hernán Castelo, Jun 9, 2004
    #5
  6. "Hernán Castelo" <> wrote in message
    news:...
    > well, i say
    > without using COM+ objects
    > and ...trusting in the IUSR .......
    >
    > unafortunately i can't move to .net


    This means that you'll have to create your own roles in a separate table. It
    is not that hard to do...

    Success
    Egbert Nierop \(MVP for IIS\), Jun 10, 2004
    #6
  7. hi
    i don't understand well
    those "in a separate table"
    did you mean "in a separate dbs"?
    can you explain me a bit more
    or post a link

    thanks again

    "Egbert Nierop (MVP for IIS)" <> escribió en el
    mensaje news:%...
    > "Hernán Castelo" <> wrote in message
    > news:...
    > > well, i say
    > > without using COM+ objects
    > > and ...trusting in the IUSR .......
    > >
    > > unafortunately i can't move to .net

    >
    > This means that you'll have to create your own roles in a separate table.

    It
    > is not that hard to do...
    >
    > Success
    >
    Hernán Castelo, Jun 11, 2004
    #7
  8. "Hernán Castelo" <> wrote in message
    news:%...
    > hi
    > i don't understand well
    > those "in a separate table"


    Create a new SQL server table
    for instance

    roles
    roleId
    name
    and a table named

    users
    userId
    password
    name
    and a third table

    userroles
    userroleid
    userId
    roleId


    Then you need some stored procedures, that handle login and member ship
    checks.
    etcetera.
    Maybe www.sourceforge.org has some samples...



    > did you mean "in a separate dbs"?
    > can you explain me a bit more
    > or post a link
    >
    > thanks again
    >
    > "Egbert Nierop (MVP for IIS)" <> escribió en

    el
    > mensaje news:%...
    > > "Hernán Castelo" <> wrote in message
    > > news:...
    > > > well, i say
    > > > without using COM+ objects
    > > > and ...trusting in the IUSR .......
    > > >
    > > > unafortunately i can't move to .net

    > >
    > > This means that you'll have to create your own roles in a separate

    table.
    > It
    > > is not that hard to do...
    > >
    > > Success
    > >

    >
    >
    Egbert Nierop \(MVP for IIS\), Jun 11, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Jim Bancroft

    Good approach to calling Urls remotely?

    Jim Bancroft, Aug 15, 2005, in forum: ASP .Net
    Replies:
    2
    Views:
    346
    =?Utf-8?B?YmlsbHI=?=
    Aug 16, 2005
  2. sikka noel
    Replies:
    8
    Views:
    411
    Mike Wahler
    Aug 5, 2003
  3. vlsidesign
    Replies:
    26
    Views:
    947
    Keith Thompson
    Jan 2, 2007
  4. George2
    Replies:
    3
    Views:
    282
    Rolf Magnus
    Dec 24, 2007
  5. Telemach
    Replies:
    8
    Views:
    100
    S P Arif Sahari Wibowo
    Feb 19, 2008
Loading...

Share This Page