Re: winnt vs. sql auth

From: AnthonyThomas (Anthony.Thomas_at_CommerceBank.com)
Date: 12/16/04

Next message: AnthonyThomas: "Re: SQL Server 2000 on Windows 2K DCE - Is DTS supported?"
Previous message: AnthonyThomas: "Re: block all apps except for..."
In reply to: ChrisR: "winnt vs. sql auth"
Messages sorted by: [ date ] [ thread ]

Date: Thu, 16 Dec 2004 00:33:47 -0600

The biggest benefit of using Windows Authentication is the security of the
account credentials. If users have direct access, then the benefits of
single-signon are well known. If we are talking about a single application
account access, then somewhere that account information must be stored.

Oftentimes, the storage of this information is on the very server that is at
the highest risk of being compromised, the publicly facing web server. With
Windows Authentication, the account is stored either in the service login
information, the DCOM or COM+ configuration, either of which should be
resident on the Application Server, not the web server.

Then there is the password, for Windows Authentication, it is stored in the
SAM database, which is very difficult to hack as opposed to using the
Global.asa, a compiled .dll, or cleartext in the registry, all of which are
easily accessible.

Moreover, once we have deliniated the differences in account storage, then
there is connection transmission, if SSL is not deployed, or at least an
installed Server Certificate on the SQL Server host, the SQL Authenticated
login credentials are transmitted over the network in cleartext. For
Windows Authentication, it is only the Access Token, which is not the
credentials themselves and is encrypted.

Sincerely,

Anthony Thomas

-- 
"ChrisR" <ChrisR@noEmail.com> wrote in message
news:%234T31Nw4EHA.2288@TK2MSFTNGP11.phx.gbl...
sql2k
Im having a debate about why it's better to use winnt instead of sql auth. I
know about the winnt password benifits. What else is there? All ammo is
appreciated.
ChrisR

Next message: AnthonyThomas: "Re: SQL Server 2000 on Windows 2K DCE - Is DTS supported?"
Previous message: AnthonyThomas: "Re: block all apps except for..."
In reply to: ChrisR: "winnt vs. sql auth"
Messages sorted by: [ date ] [ thread ]

Relevant Pages

Re: Passing windows credentials from server to server.
... FYI - below I did specify that Server B uses windows authentication. ... >> while passing the credentials at the same time so that they don't have ... >> If only I could use the response.redirect method, and somehow pass the ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Windows authentication from ASP.net application to Sql Server
... | Subject: Re: Windows authentication from ASP.net application to Sql Server ... | server or on the same server with the IIS/ASP.Net? ... Use a single fixed impersonate account, ... | client/server to use restricted kerberos delegation which has critical ...
(microsoft.public.dotnet.framework.aspnet)
RE: ASP.NET and IIS Security
... Make sure that the domain account's "Trust this account to delegate ... an application pool using an account local to the server. ... they get directed from the anonymous site to the Windows authentication site. ... If I access via the hostname I get the ...
(microsoft.public.dotnet.framework.aspnet)
Re: Integrated Windows Authentication not working
... >>> my domain account (which won't work because I've set up ... >>Is your web server a member of a domain or does it have a ... >>submit credentials automatically for the IE security zone ... Windows Authentication, then IE will FIRST try to send the credentials ...
(microsoft.public.inetserver.iis.security)
Re: Passing windows credentials from server to server.
... your problem by turning on impersonation in server A's web.config. ... > while passing the credentials at the same time so that they don't have to ... > I'm able to successfully impersonate the user, but again, I don't know how ... > Web Access, which requires windows authentication. ...
(microsoft.public.dotnet.framework.aspnet.security)