Best Practice Accessing SQL Server 2012 from a Web App

I'm looking for best practices regarding Accessing SQL Server 2012 via a Web Application to insure optimum security.

Thanks in advance.

Create a database role for the application. Add only the permissions actually necessary (principle of least privilege). Create an AD Group for the web servers who will access the database. Create users for the webservers and add them to the AD group(s). add the AD groups to SQL Server and the database role(s).

Users of the web app connect to the app with their logins, but the database access is controlled by the accounts of the web servers.

to add to gbritton. also depends how your web app is running, for example will it be on IIS or node? if IIS will you be using app pool, what identity will this apppool be using?

also what will be in your connection string, integrated authentication to the sql server?

And to add even more, build a data access layer between your web app and the database. That way nothing that touches the web also touches the database server.

1 Like