Create Server Login(Do not type a password in web config)

 

As a high-level security measure in SQL Server,

if you do not want application developers to know the application’s user password, this article will be helpful.

With this method, the application will only be able to connect to the database from specific application servers.

We need to identify the application servers that need to be connected to the database as login to SQL Server as follows.

 

You should write your server name in the section titled TESTSERVER above.

I’m referring to an important point.

You should type the server name in uppercase letters.

 

When you create Login this way, application developers need to write “Integrated Security = SSPI” or “Trusted_Connection = True” instead of userid and password in the connection string.

dbtut

We are a team with over 10 years of database management and BI experience. Our Expertises: Oracle, SQL Server, PostgreSQL, MySQL, MongoDB, Elasticsearch, Kibana, Grafana.

This Post Has 3 Comments

  1. Engr. Mohammad Rizwan Yasin

    How we prevent to access of the database if someone have application server access. How we can restrict user to only connect from the application and not from any query or SSMS tool.

    1. dbtut

      If someone have application server access and if you dont apply this method that person can get the password from the webconfig and can use it on another server.

      with this method he or she can not connect from any other server. Maybe there can be a retriction but I dont know.

      You can login with local user like this with sqlserver authentication If you defined server login.

      localuser@servername

      you should add Integrated Security parameter to SSMS

      1. dbtut

        If this method not enough for you, you can hash your webconfig. This is another method.

Leave a Reply