[This is preliminary documentation and subject to change]

Controlling Database Access

You can use a variety of techniques to effectively restrict access to your database files. These techniques can range from configuring your database software's security features to setting NTFS permissions for database files. This topic outlines basic guidelines for effectively restricting access to your Web server's database files.

To control database access
  1. Configure your database software's security features when creating database files. With the security features provided by some versions of database software, you can control user access to database files with a high degree of granularity. For example, with Microsoft SQL Server security features, you can control how users access a particular database file, including how those users access specific tables, records, and fields. For more information, consult your database software documentation.
  2. Secure the database files and directories stored on your Web server by setting appropriate NTFS permissions. Make sure that trusted users who need to update database files have appropriate permissions. For more information, see Setting NTFS Permissions for a Directory or File.
  3. Secure your file-based Data Source Name (DSN), which can contain user IDs and passwords, with appropriate NTFS permissions.
  4. Secure .asp files containing scripts that pass user name and password information to databases with appropriate NTFS permissions.

    note Note    Consider converting your ASP database scripts, especially those containing user name and password information, into secure COM server components. For more information, see the Internet Information Services SDK delivered with the Platform SDK.

  5. Select an appropriate Web server authentication method for identifying users attempting to access your database. Database user authentication can depend greatly on the protocol used for connecting to a database. For example, if you decide to use the Named Pipes default connection protocol for SQL Server, then authentication of Windows user account credentials may occur in addition SQL Server authentication. You should carefully consult your database software documentation for guidelines regarding the integration of disparate authentication methods.

© 1997-2001 Microsoft Corporation. All rights reserved.