Controlling Access to a Database on a Web Server

Applies To: Windows Server 2003, Windows Server 2003 with SP1

For Web applications that communicate with a database, controlling access to the database is a critical element of Web server security. There are several ways to control access to a database that is published on an IIS 6.0 Web server:

  • Use the built-in security permissions of the database application or the database management system. Many of the integrated user authentication methods in your database provide control access at a fine level of granularity. For example, the Database Results Wizard in Microsoft FrontPage 2002 allows you to create a Web page that can access a database, and to use password protection on the database connection. For more information about Microsoft SQL Server security, see the Help topics in SQL Server Enterprise Manager. For more information about Microsoft Access 2002 Security, see the Help topics that are accessible from the Help menu.

  • Use the data source name (DSN). The DSN that you create on the Web server is used by an external program or an ASP page to refer to the database that you want to publish on your Web site. For more information about how to determine the DSN password setting for a database or database management system, consult the application's help.

  • Use NTFS permissions. Windows Server 2003 NTFS permissions can restrict access to specific folders and files on your Web site. For more information about NTFS, see Help and Support Center for Windows Server 2003.

  • Use subwebs to restrict access to a section of the Web site. For example, if you use FrontPage to create a Web site, you can create security boundaries by using subwebs. Each subweb can maintain separate security settings, so you can store database results pages or ASP pages that reference the database in a subweb with unique permissions. For more information about creating subwebs and assigning unique permissions, see Knowledge Base article 301432, How to Create a Subweb and Add Permissions Using FrontPage 2000.

  • Use an appropriate Web server authentication method. Database user authentication can depend on the protocol that is used for the database connection. For example, if you decide to use the Named Pipes default connection protocol for SQL Server, Windows user account credentials might be authenticated with SQL Server authentication.