 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / Languages / C# / October 2007Windows service
Hi, I have a windows service that does some distributed transcation across 2 servers. One DB is SQL 2005 express and the other is SQL 2005. My question is I have created a domain user account and I am logging the service in as that account. Then I am adding permission to the user acccount to both DB's. If I use integrated security in my connection strings to the DB's will they login as the domain user account and everything be greart???? Malcolm I guest is OK,do you try that? Regards Bela Istok > Hi, > [quoted text clipped - 9 lines] > > Malcolm No have not tried it yet I am trying to save me some pain by asking :-) >I guest is OK,do you try that? > [quoted text clipped - 14 lines] >> >> Malcolm > No have not tried it yet > > I am trying to save me some pain by asking :-) Yes you should do that with NT Integrated security if the account being used on the running machine is established on SQL 2005 server and SQL 2005 express. However, most would just use a generic user-id and psw for the logins one for Server and one for Express and make two entries in AppSettings for connections strings. >>I guest is OK,do you try that? >> [quoted text clipped - 14 lines] >>> >>> Malcolm Arnold If you store the logins in the App.Config you can compromise the server if someone get to the machine, the best way is to use integrated in the service (if the service is running in the user stations). Regards, Bela Istok >> No have not tried it yet >> [quoted text clipped - 28 lines] >>>> >>>> Malcolm > Arnold If you store the logins in the App.Config you can compromise the > server if someone get to the machine, the best way is to use integrated in > the service (if the service is running in the user stations). You do know that you can encrypt a configuration file in .NET 2.0 don't you? http://www.codeproject.com/useritems/Configuration_File.asp >> Arnold If you store the logins in the App.Config you can compromise the >> server if someone get to the machine, the best way is to use integrated [quoted text clipped - 4 lines] > > http://www.codeproject.com/useritems/Configuration_File.asp While that's an option, it's a real pain. Worse, it's still less secure that using Windows Auth to the SQL DB. I've actually done this before (we were hitting an Oracle DB that didn't support Windows Auth), using both the COM+ method recommend by the PAG group, and using the DPAPI method others have recommended. It worked, but it's alot of overhead both for the devs and the sys admins to worry about. If you can use it, Windows Auth to the SQL Database is better in every way.  SignatureChris Mullins >>> Arnold If you store the logins in the App.Config you can compromise the >>> server if someone get to the machine, the best way is to use integrated [quoted text clipped - 14 lines] > If you can use it, Windows Auth to the SQL Database is better in every > way. It's only good for a solution that's running in a domain. It's not good for a solution that the users are not in a NT domain environment. I have not seen NT Authenticated user used for a means of connecting to a SQL Server database by any application, even in a domain. That seems to be a PITA for a DBA, and I think they avoid it, at least the ones I have worked with. Some DBA's have a special sequence of characters to kind of encrypt the psw a kind of their own blend or take on the psw. [SQL Auth vs Windows Auth] > It's only good for a solution that's running in a domain. It's not good > for a solution that the users are not in a NT domain environment. I've seen many Production SQL Databases & Apps not joined to a domain that did this. The SQL Server just configured "WebServer1\NETWORK SERVICE" as the user name, and granted it acccess to the database. Took about 30 seconds to have it running. (We can debate the wisdom of having the database & the SQL Server on the same network, but that's a completly different argument, and still ends up with the same solutions working just fine) > I have not seen NT Authenticated user used for a means of connecting to a > SQL Server database by any application, even in a domain. We have very different expereinces in that regard. I see Windows Auth almost exclusivly. When I do see SQL Auth used, it's confessed to me in hushed tones, with downcast eyes, and usually followed with a "but we're fixing it!" said in an urgent voice! > That seems to be a PITA for a DBA, and I think they avoid it, at least the > ones I have worked with. Again, we have compeltly different expereince in this regard. The DBA's I know all much prefer it.... > Some DBA's have a special sequence of characters to kind of encrypt the > psw a kind of their own blend or take on the psw. I would be very concerened about that. Custom Encryption schemes are notoriously unsecure, and likely used more for Job Security purposes than anything else. The right tools for the job all exist, and there's no reason not to use them... -- Chris Mullins <snipped> You're talking about one aspect, which is the NT Domain environment, an application running in that environment. It doesn't apply to all situations like a Web solution, when no user is part of a NT domain that can be authenticated. So in order to logon to SQL server, the application must use a generic user-id and psw. It's all SQL Server table authentication for the user. > Yes you should do that with NT Integrated security if the account being > used on the running machine is established on SQL 2005 server and SQL 2005 [quoted text clipped - 3 lines] > for Server and one for Express and make two entries in AppSettings for > connections strings. The recommend practice is to use Windows Auth from the service to SQL Server. It's easier to configure, less maintentance, and much more secure. In general, you should not use SQL Auth for much of anything these days. There would be 2 connection strings in the AppConfig, one for each DB. Each of these connection strings is marked to use Integrated Authentication. -- Chris Mullins >> Yes you should do that with NT Integrated security if the account being >> used on the running machine is established on SQL 2005 server and SQL [quoted text clipped - 11 lines] > Each of these connection strings is marked to use Integrated > Authentication. You might convince me on the little more secure, but not the less maintenance part of just having a generic user-id and psw that an app uses. > "Chris Mullins [MVP - C#]" <cmullins@yahoo.com> wrote in message > news:eiaWX%23%23FIHA.1208@TK2MSFTNGP05.phx.gbl... >> The recommend practice is to use Windows Auth from the service to SQL >> Server. It's easier to configure, less maintentance, and much more >> secure. In general, you should not use SQL Auth for much of anything >> these days. > You might convince me on the little more secure, but not the less > maintenance part of just having a generic user-id and psw that an app > uses. Well, SQL Auth is considered to be insecure. It's easily cracked (I've used the tools, and verified this, much to my client's amazement), doesn't have any metering on it to prevent brute force attacks, transmits the credentials to the database in plain-text, and doesn't integrate at all into the standard security infrastructure already being used by the organization. There no way to enforce password strength rules, and the passwords are store as case insensitive hashes. There's no default monitoring of the invalid password attempts, no automatic account lock-out, etc. There's a ton of documentation on this found on the web. All of the DBA's that I work with prefer Windows Auth to SQL Auth for ease of use reasons as well. It's one less set of passwords to remember, less configuration in the long run, fewer plain-text passwords floating around in email & config files. It's much easier to switch between databases without having to continually enter passwords. It's also easier to manage in the HR case - when you fire an Admin or a Dev, you don't have to change all the SQL Passwords, just lock-out his account. When you hire someone new, you don't have to email them the credentials. You just add the role to their Active Directory account, and it works. If you ever want to scare yourself, go download Cain & Able off the web, and watch the insecure traffic fly across your network. You'll have all the account credientals in no time. Makeing sure the network layer is secure is important! -- Chris Mullins >> "Chris Mullins [MVP - C#]" <cmullins@yahoo.com> wrote in message >> news:eiaWX%23%23FIHA.1208@TK2MSFTNGP05.phx.gbl... [quoted text clipped - 14 lines] > into the standard security infrastructure already being used by the > organization. Most oraganizations don't know the first thing about secuirty -- not really. > There no way to enforce password strength rules, and the passwords are > store as case insensitive hashes. There's no default monitoring of the > invalid password attempts, no automatic account lock-out, etc. There's a > ton of documentation on this found on the web. I know about all of this. I have been working on the NT based O/S platform for many years. > All of the DBA's that I work with prefer Windows Auth to SQL Auth for ease > of use reasons as well. It's one less set of passwords to remember, less > configuration in the long run, fewer plain-text passwords floating around > in email & config files. It's much easier to switch between databases > without having to continually enter passwords. Most solutions are not swithing between databases. The only way that switching of databases by an application would be is when the appliacation moves from dev/test/QA/prod, but they are the same database. The only thing that changes is is where the database is located. > It's also easier to manage in the HR case - when you fire an Admin or a > Dev, you don't have to change all the SQL Passwords, just lock-out his > account. You and I both know that most are not doing this. :) > When you hire someone new, you don't have to email them the credentials. > You just add the role to their Active Directory account, and it works. I sounds good, but again, you and I both know that they are not doing this. > If you ever want to scare yourself, go download Cain & Able off the web, > and watch the insecure traffic fly across your network. You'll have all > the account credientals in no time. Makeing sure the network layer is > secure is important! I don't disagree with you. But they are not doing it, and I have been in those shops. Hello Arnold, if you know all of this why you recommend to Rotsey not to use Domain Security? Because the persons you have worked for doesn't do the work in the right way, doesn't mean you need to omit the solution at all? Regards, Bela Istok >>> "Chris Mullins [MVP - C#]" <cmullins@yahoo.com> wrote in message >>> news:eiaWX%23%23FIHA.1208@TK2MSFTNGP05.phx.gbl... [quoted text clipped - 56 lines] > I don't disagree with you. But they are not doing it, and I have been in > those shops. > Hello Arnold, if you know all of this why you recommend to Rotsey not to > use Domain Security? > > Because the persons you have worked for doesn't do the work in the right > way, doesn't mean you need to omit the solution at all? There is my post to the OP. Do you want to point out where I recommended anything. I don't like it when someone tries to imply that I said something when I didn't say it. Where did I say that *I recommend*. >> No have not tried it yet >> [quoted text clipped - 8 lines] > for Server and one for Express and make two entries in AppSettings for > connections strings. Well, to be picky, you said: > However, most would just use a generic user-id and psw for the logins one > for Server and one for Express and make two entries in AppSettings for > connections strings. I don't think this is true at all. Moreso, I consider it an Anti-Pattern in most cases. The way you phrased it, your post was read by me as, "I recommend doing SQL Auth over Windows Auth." I realize that's not quite what you said, but that is obviously how it's been interpreted by more than just me. Due to my interpretation, I posted a response saying that "SQL Auth bad. Windows Auth good.". Otherwise, I would have skipped the thread with "Arnold already answered it, and I've nothing constructive to add.". -- Chris Mullins >> Hello Arnold, if you know all of this why you recommend to Rotsey not to >> use Domain Security? [quoted text clipped - 18 lines] >> for Server and one for Express and make two entries in AppSettings for >> connections strings. > Well, to be picky, you said: > >> However, most would just use a generic user-id and psw for the logins one >> for Server and one for Express and make two entries in AppSettings for >> connections strings. I want to know where I implied that I recommended. All I gave is what most would do right or wrong. Your picky point is much ado about nothing and is the very reason I dislike anyone posting with that MVP, as you have proven to me once again my dislike for MVP's. I am not here to debate anything with any of you. It was a mistake to converse with you period about anything ,and you need to just flat-out stop and move on, because I'll do it for you and just killfile you to avoid all of this. > I want to know where I implied that I recommended. All I gave is > what most would do right or wrong. That's correct. Chris was simply explaining how the misunderstanding happened. I didn't see anything in his post that asserted that you had in fact said that was your recommendation. Just that that's how he read it. > Your picky point is much ado about > nothing and is the very reason I dislike anyone posting with that > MVP, as you have proven to me once again my dislike for MVP's. Actually, your dislike for practically everyone is fairly well-known here. I'm surprised you continue to participate in the newsgroup, given how much you seem to hate everyone, MVP or otherwise. Your inability to tolerate even the slightest disagreement or misunderstanding results in threads spiraling out of control, with you at the center stridently relating just how little you care to interact with anyone, and how close you are to killfiling a person. Why bother? Pete SignatureI'm trying a new usenet client for Mac, Nemo OS X. You can download it at http://www.malcom-mac.com/nemo > "Chris Mullins [MVP - C#]" <cmullins@yahoo.com> wrote in message >> Well, to be picky, you said: >> >>> However, most would just use a generic user-id and psw for the logins >>> one for Server and one for Express and make two entries in AppSettings >>> for connections strings. > I want to know where I implied that I recommended. All I gave is what most > would do right or wrong. You implied that Sql Auth was the right way to go. It's clear as day to those reading the post. It's sure how I interpreted things. If you've got people telling you that your writing is unclear, there are typically three choices: 1 - Admit you posted something that was written in a way as to allow easy misinterpretation. 2 - Ignore everyone and keep on doing that you're doing. 3 - Go offensive and attack those people daring to point out a mistake you may have made. Unfortunatly, you normally seem to pick option 3, with an occasional foray into option 2. I've yet to see you pick option 1. > Your picky point is much ado about nothing and is the very reason I > dislike anyone posting with that MVP, as you have proven to me once again > my dislike for MVP's. You're certainly entitled to your opinion. If you dislike people posting (usually) correct, timely, and detailed answers to questions people have, I can certainly see how you would dislike the MVP Award in general, and it's recipients in particular. I daresay you're a bit unusual in this regard, but to each their own... > I am not here to debate anything with any of you. It was a mistake to > converse with you period about anything ,and you need to just flat-out > stop and move on, because I'll do it for you and just killfile you to > avoid all of this. I can see how conversing with me is difficult and frustrating. I'm very rude, blunt, guilty of engaging in frequent and viscious ad-hominem attacks, and often defend incorrect and unsupportable posistions based on nothing but pride and the inability to be ever be wrong. Clearly I'm unsuitable for engaging in a debate or even a casual conversation. -- Chris Mullins <snipped> > I can see how conversing with me is difficult and frustrating. I'm very > rude, blunt, guilty of engaging in frequent and viscious ad-hominem > attacks, and often defend incorrect and unsupportable posistions based on > nothing but pride and the inability to be ever be wrong. Clearly I'm > unsuitable for engaging in a debate or even a casual conversation. Like I said, I am not here to converse or debate. Now, if you have issues with that, then let me get you some tissues. Good bye > I have a windows service that does some distributed transcation > across 2 servers. One DB is SQL 2005 express and the other is SQL 2005. [quoted text clipped - 5 lines] > DB's will they login as the domain user account and > everything be greart???? Yes, this should work, and in fact it is the recommended way to configure security for such a setup. >> I have a windows service that does some distributed transcation >> across 2 servers. One DB is SQL 2005 express and the other is SQL 2005. [quoted text clipped - 8 lines] > Yes, this should work, and in fact it is the recommended way to > configure security for such a setup. Really? You want to post some information about this is a recommended security feature. Have you talked with a SQL DBA about this? Yup. That's exactly how it works, and is the recommended way to do it. Terminology wise, it's usually called a "Service Account", rather than a "User Account", but they're the same thing. Generally service accoutns have passwords that don't expire... -- Chris Mullins > Hi, > [quoted text clipped - 9 lines] > > Malcolm Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.