Skip navigation

Web Security: Behind the Scenes - 25 Feb 2000

Technology integration is one of the best things that has happened in the computer world in the past 20 years. I especially appreciate the integration of SQL Server and BackOffice, which lets us use these technologies as a team to build and manage sophisticated applications. However, we often need to know what’s going on behind the scenes with such integration.

For instance, a while back, I was testing various security settings for an intranet application, in which the servers and clients all ran on a LAN. I began by changing the security settings for the Web in the Internet Services Manager. First, I enabled NT Challenge Response security along with Basic authentication. Then I changed the security settings for a couple of files in the Web project to allow only me to access them. I tested a Web page that accessed a file with the new security settings. Everything worked fine because I was logged in to a client that supported NT Challenge Response and because I was using Microsoft Internet Explorer (IE) as the browser. After a bit more fiddling and testing, I had the security settings just as I wanted them.

Then I began testing database access. The Web page performing the database access used several COM objects written in Visual Basic (VB). As I tested the COM objects from within VB, I found I could access the database with no problems—even without supplying the user ID and password. What happened?

I recalled selecting the Integrated security option so that SQL Server would use both Windows NT security and SQL Server security. Integrated security let the COM object access the database because the object was running on the local workstation, which had access to the database through its login. To make sure the development database requires the username and password from any application code trying to access it, I changed the security setting so that the database uses only SQL Server security. This makes testing Web applications much easier because security on the development system mimics security on the Web server.

Like I said, it always helps to have a good understanding of what’s going on behind the scenes in any environment.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.