AnotherDeveloper AnotherDeveloper -4 years ago 75
ASP.NET (C#) Question

ASP.NET SQL Database Connection Security for IIS 8 and beyond

It doesn't seem like there is a definitive best practice for how to manage SQL Server connections from ASP.NET. Would be interested in hearing the pros and cons for the solutions below, and any others that are not listed. I haven't revisited this since IIS 7.5, so maybe there are better approaches at this point:

  1. Use a virtual application pool identity (Virtual Accounts) and add it as a SQL Login.

  2. Have the App Pool use a domain account for its identity. Set the same account as a login in SQL Server.

  3. Have the application impersonate a domain account with information gathered from the registry. The app pool will use a virtual application pool identity. Add the domain account as a login in SQL Server.

Answer Source
1) pro: simple 
   con: if there are multiple web apps on the IIS server, they will all use the machine account to authenticate to a remote SQL instance.

2) pro: can give each app pool a distinct domain identity
   con: password management

3) pro: none
   con: insecure credential storage
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download