Security: ASP.Net + SQL Server DNZ

[Tushar Karsan]

(Been reading other messages on this subject but could not find an answer,
that is why I'm posting this. Please note, although I have posted to several
groups, I've set follow-to microsoft.public.sqlserver.security in case I
posted to where I shouldn't have, sorry if I have).

I am woking on an ASP.Net app that will be in the DMZ and SQL Server will be
behind the firewall inside a secure zone. It seems as though there are two
possible methods of securing the DB:

1. Using integrated security.
a. This will use Win2K challege response machamism and hence passwords and
user-id's would not need to be handled in the web app.
b. This probably means that both ASP.Net and DB would have to be on the same
windows domain.

2. Using SQL Server security (do not know if it is the right name)
a. Connection-string will need to include both uid and pwd.
b. For security reasons, connection-string will need to be stored away from
the app in a secure place, probably encrypted.
c. At runtime the connection-string will need retrieving and decrypting and
passed as clear text to Open() method on connection.

It seems as though 2c makes it less secure if network is spoofed hence
method 1 seems to be the better option, is that correct? If so, port 1433
would need to be opened between the DMZ to DB zone, in that direction, is
that correct?

Any other pointers or suggestions will be much appreciated.

thanks,
Tushar

[Tushar Karsan]

(Been reading other messages on this subject but could not find an answer,
that is why I'm posting this. Please note, although I have posted to several
groups, I've set follow-to microsoft.public.sqlserver.security in case I
posted to where I shouldn't have, sorry if I have).

I am woking on an ASP.Net app that will be in the DMZ and SQL Server will be
behind the firewall inside a secure zone. It seems as though there are two
possible methods of securing the DB:

1. Using integrated security.
a. This will use Win2K challege response machamism and hence passwords and
user-id's would not need to be handled in the web app.
b. This probably means that both ASP.Net and DB would have to be on the same
windows domain.

2. Using SQL Server security (do not know if it is the right name)
a. Connection-string will need to include both uid and pwd.
b. For security reasons, connection-string will need to be stored away from
the app in a secure place, probably encrypted.
c. At runtime the connection-string will need retrieving and decrypting and
passed as clear text to Open() method on connection.

It seems as though 2c makes it less secure if network is spoofed hence
method 1 seems to be the better option, is that correct? If so, port 1433
would need to be opened between the DMZ to DB zone, in that direction, is
that correct?

Any other pointers or suggestions will be much appreciated.

thanks,
Tushar