[英]Best method to connect IIS 7.5 Web Forms to SQL Server
I'm upgrading an ASP.NET 4.0 app from: 我正在从以下版本升级ASP.NET 4.0应用程序:
Windows Server 2003 and IIS 6 Windows Server 2003和IIS 6
to: 至:
Windows Server 2008 and IIS 7.5 Windows Server 2008和IIS 7.5
This app is based on ASP.NET Web Forms and not MVC. 此应用程序基于ASP.NET Web窗体 ,而非MVC。 I currently use SQL authentication, but I would like to follow best practices in the new environment.
我目前使用SQL身份验证,但是我想在新环境中遵循最佳实践。
Both the IIS 7.5 machine and the SQL Server 2008 machine will reside in a DMZ with its own domain controller . IIS 7.5计算机和SQL Server 2008计算机都将驻留在具有自己的域控制器的DMZ中 。 It would be nice if we could use similar connection strings for Dev, Test and Prod environments.
如果我们可以在Dev,Test和Prod环境中使用类似的连接字符串,那就太好了。 What's the best practice for this situation?
在这种情况下,最佳做法是什么? I've read about three options.
我已经阅读了三种选择。
Here are links to questions that discussed related issues, but nothing seemed to answer my specific question. 这里是讨论相关问题的问题的链接,但是似乎没有什么可以回答我的具体问题。
User ASP.NET Runs Under 用户ASP.NET运行在
Assign Permissions to ApplicationPoolIdentity Account 向ApplicationPoolIdentity帐户分配权限
I recommend AD account for running the app pool. 我建议使用AD帐户来运行应用程序池。 Then, permissions can be created at SQL server for that same account.
然后,可以在SQL Server上为该帐户创建权限。 The conn string used by the app will then not have to contain account info at all (trusted connection), and you will have one less thing to worry about related to security.
然后,该应用程序使用的conn字符串将完全不必包含帐户信息(受信任的连接),并且您不必担心与安全性相关的事情。 As additional precaution, remove that AD account from all user groups, and don't use it for anything else but for this one thing (the app pool).
作为额外的预防措施,请从所有用户组中删除该AD帐户,除了用于这一件事(应用程序池)之外,不要将其用于其他任何用途。 Give that user read access to website files, and write access only to folders that it needs to write to (eg to dump log files).
授予该用户对网站文件的读取访问权限,并仅对其需要写入的文件夹(例如转储日志文件)进行写入访问。
As far as best practices is concerned, I don't think any of the 3 options you listed is better over the other one; 就最佳实践而言,我认为您列出的三个选项中的任何一个都不比另一个更好。 all of them can do the job securely and efficiently if used correctly.
如果使用正确,它们所有人都可以安全有效地完成工作。 Your decision should be based on which of those offers advantages to you considering your particular environment, company policies, etc., but again, none of them are bad practice.
您的决定应基于考虑到您的特定环境,公司政策等因素中的哪一项可以为您带来优势,但是同样,这些都不是坏习惯。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.