Kirk Evans Blog

.NET From a Markup Perspective

ASP.NET 2.0 Security Practices at a Glance

Check out a great resource for ASP.NET 2.0 applications and security.  Tons of great information.  The answer to the security question that I hear the most:

Use Windows authentication where possible and use a least privileged service identity while connecting to SQL Server. Usually, this will be your least privileged application’s process account. By using a service account, you benefit from connection pooling. If you need per user authorization in the database, you can use impersonation (and delegation) and access the database with the original caller’s account, but this will prevent efficient connection pooling.

To use Windows authentication, configure SQL Server appropriately and then use a connection string that contains either “Trusted_Connection=Yes”, or “Integrated Security=SSPI” as shown in the following code. The two strings are equivalent and both result in Windows authentication.