Best Security Practices for ASP against SQL Server

[Ray at]

No, you shouldn't use a DSN. You should use OLEDB connection strings and
create your connection when you need it. You can store the connection
string anywhere you'd like though.

Get your OLE DB connection strings here: [url]http://www.connectionstrings.com/[/url]

Set oADO = Server.CreateObject("adodb.connection")
oADO.Open YourOLEDBConnectionString

Ray at home

--
Will trade ASP help for SQL Server help


"William Johnson" <wbj4@cdc.gov> wrote in message
news:04a701c3515d$7d12fa70$a101280a@phx.gbl...

> I have different bits of advice about what is acceptable
> practice. I found a KB article (Q169377) advising to put
> the DSN string in the global.asa. Is this really ok and
> why?

[John Beschler]

If you REALLY want the BEST security practice, you would
use NT Integrated security for your authentication.

However, this is not always feasible, especially for
public websites.

The problem with storing your connection string anywhere
on the server, whether in the global.asa or anywhere else,
is the uid and password are stored in clear text. This is
a potential for compromise.

We have created a VB dll and stored our connection strings
there. Even this is not 100% secure, as it is technically
possible to hack the dll and retrieve the uid and
passwords, but it's more secure than storing them in a
plain text file like global.asa. Our next step is to make
the dll run in it's own security context and use NT
integreted security for the dll. Then we won't even store
the uid and password in the dll.

>-----Original Message-----
>I think he was asking from a security perspective.
>
>I usually put my connection strings in global.asa as a

Session variable.

>Keeping it in one spot makes it a lot easier if you

change databases.

>
>
>"Ray at <%=sLocation%>" <myfirstname at lane34 dot com>

wrote in message

>news:ODuqP5ZUDHA.1012@TK2MSFTNGP11.phx.gbl...

>> No, you shouldn't use a DSN. You should use OLEDB

connection strings and

>> create your connection when you need it. You can store

the connection

>> string anywhere you'd like though.
>>
>> Get your OLE DB connection strings here:

>[url]http://www.connectionstrings.com/[/url]

>>
>> Set oADO = Server.CreateObject("adodb.connection")
>> oADO.Open YourOLEDBConnectionString
>>
>> Ray at home
>>
>> --
>> Will trade ASP help for SQL Server help
>>
>>
>> "William Johnson" <wbj4@cdc.gov> wrote in message
>> news:04a701c3515d$7d12fa70$a101280a@phx.gbl...

>> > I have different bits of advice about what is

acceptable

>> > practice. I found a KB article (Q169377) advising to

put

>> > the DSN string in the global.asa. Is this really ok

and

>> > why?

>>
>>

>
>
>.
>

[DaWoE]

We keep our connectionstring and other global variables in a include file :
sitevariables.asp

and then in our asp-page it's just this include
<!--include file="ourincludefolder/sitevariables.asp" -->

You don't have to use session or application variable then.

Dave Woestenborghs
ASP Developer
Belgium

"Tom B" <shuckle@hotmail.com> wrote in message
news:%23FlGWCeUDHA.2364@TK2MSFTNGP09.phx.gbl...

> I think he was asking from a security perspective.
>
> I usually put my connection strings in global.asa as a Session variable.
> Keeping it in one spot makes it a lot easier if you change databases.
>
>
> "Ray at <%=sLocation%>" <myfirstname at lane34 dot com> wrote in message
> news:ODuqP5ZUDHA.1012@TK2MSFTNGP11.phx.gbl...

> > No, you shouldn't use a DSN. You should use OLEDB connection strings

and

> > create your connection when you need it. You can store the connection
> > string anywhere you'd like though.
> >
> > Get your OLE DB connection strings here:

> [url]http://www.connectionstrings.com/[/url]

> >
> > Set oADO = Server.CreateObject("adodb.connection")
> > oADO.Open YourOLEDBConnectionString
> >
> > Ray at home
> >
> > --
> > Will trade ASP help for SQL Server help
> >
> >
> > "William Johnson" <wbj4@cdc.gov> wrote in message
> > news:04a701c3515d$7d12fa70$a101280a@phx.gbl...

> > > I have different bits of advice about what is acceptable
> > > practice. I found a KB article (Q169377) advising to put
> > > the DSN string in the global.asa. Is this really ok and
> > > why?

> >
> >

>
>

[John Beschler]

That is a potential security risk if you store the
password as part of the connection string. It is
technically possible for IIS to return the contents of an
ASP page to the browser under certain conditions. If you
use an include file it should NOT have an ASP extension
(or any extension that could be returned to the browser).
MS recommends using the global.asa for that reason. If you
want to store your site variables in the file as well, at
least use a different exttension such as ".inc" The MS
folks will correct me if I'm wrong, but I believe that IIS
will not return the contents of a ".inc" file to the
browser.

>-----Original Message-----
>We keep our connectionstring and other global variables

in a include file :

>sitevariables.asp
>
>and then in our asp-page it's just this include
><!--include file="ourincludefolder/sitevariables.asp" -->
>
>You don't have to use session or application variable

then.

>
>Dave Woestenborghs
>ASP Developer
>Belgium
>
>"Tom B" <shuckle@hotmail.com> wrote in message
>news:%23FlGWCeUDHA.2364@TK2MSFTNGP09.phx.gbl...

>> I think he was asking from a security perspective.
>>
>> I usually put my connection strings in global.asa as a

Session variable.

>> Keeping it in one spot makes it a lot easier if you

change databases.

>>
>>
>> "Ray at <%=sLocation%>" <myfirstname at lane34 dot com>

wrote in message

>> news:ODuqP5ZUDHA.1012@TK2MSFTNGP11.phx.gbl...

>> > No, you shouldn't use a DSN. You should use OLEDB

connection strings

>and

>> > create your connection when you need it. You can

store the connection

>> > string anywhere you'd like though.
>> >
>> > Get your OLE DB connection strings here:

>> [url]http://www.connectionstrings.com/[/url]

>> >
>> > Set oADO = Server.CreateObject("adodb.connection")
>> > oADO.Open YourOLEDBConnectionString
>> >
>> > Ray at home
>> >
>> > --
>> > Will trade ASP help for SQL Server help
>> >
>> >
>> > "William Johnson" <wbj4@cdc.gov> wrote in message
>> > news:04a701c3515d$7d12fa70$a101280a@phx.gbl...
>> > > I have different bits of advice about what is

acceptable

>> > > practice. I found a KB article (Q169377) advising

to put

>> > > the DSN string in the global.asa. Is this really

ok and

>> > > why?
>> >
>> >

>>
>>

>
>
>.
>

[Chris Hohmann]

"Chris Hohmann" <hohmannATyahooDOTcom> wrote in message
news:uoN8oztUDHA.1812@TK2MSFTNGP11.phx.gbl...

> As for securing the connection string, I've adopted the policy of

using

> a reference to a Data Link File as my connection string. i.e.:
>
> gConn = "FILE=C:\SomePathOutsideApplicationRoot\MyDatabase .udl"

Sorry, that should be:

gConn = "File Name=C:\SomePathOutsideApplicationRoot\MyDatabase. udl"