1

I start by saying that I am not really familiar with AD and DMZs.

In my company, we have a DMZ with one server, isolated from the internal network (only a few open ports) and exposed to the web. There are some IIS applications running which have access to the SQL Server.

I wanted to update the connectionstrings, remove userId and password, use Integrated Security = true and set a proper user to the application pool in order to remove the cleartext/hardcoded password from the web.configs.

The problem is that the server does not recognize the user, since the server is not part of the AD domain.

I'm quite sure there is a clean solution for such a scenario, but no clue. What should I do?

Emaborsa
  • 113
  • 3
  • You can only use “Integrated Security = true” if your web server is joined to the same domain (or a trust relationship exists) as the SQL server. – Greg W Jul 08 '20 at 00:19
  • So what do you suggest? Sould I add the server to the domain in oder to be able to use `Integrated Security = True`? – Emaborsa Jul 08 '20 at 10:01
  • That decision is up to you. Is it an insurmountable objective or something that can easily be done? – Greg W Jul 08 '20 at 10:29
  • I think it's not a matter of how much effort such a change requieres, but rather about security. I am trying to understand if it's better to keep the password visible, keep the server outside of the domain, or maybe another solution. – Emaborsa Jul 08 '20 at 11:03
  • Integrated security is more secure as the authentication isn’t in the clear (and even more secure if using Kerberos). That said, the server is in the DMZ for a reason and domain-joining DMZ servers come with it’s own risks. – Greg W Jul 08 '20 at 11:06
  • I just found this https://social.technet.microsoft.com/Forums/lync/en-US/b58fef74-8ce5-4c4f-8221-e46d8324ea07/authenticate-to-internal-trusted-domain-from-dmz-app-server?forum=winserverDS what do you think about? – Emaborsa Jul 08 '20 at 11:45

2 Answers2

2

I wanted to update the connectionstrings, remove userId and password, use Integrated Security = true and set a proper user to the application pool in order to remove the cleartext/hardcoded password from the web.configs.

As others have stated, you cannot use integrated security if the system is not joined to Active Directory.

You also don't need to do this because the connection strings can be encrypted.

Use the following commands from a command prompt where the web.config is located:

%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe -pef connectionStrings "."

If the app pool runs under an account and not local system:

%SYSTEMROOT%\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis -pa "NetFrameworkConfigurationKey" "accountusername"

If there are multiple IIS servers in a farm, they all need to have the same machine key, which they probably already do.

More information:

https://docs.microsoft.com/en-us/aspnet/web-forms/overview/data-access/advanced-data-access-scenarios/protecting-connection-strings-and-other-configuration-information-cs

Greg Askew
  • 35,880
  • 5
  • 54
  • 82
  • Good point. It doesn’t avoid the credentials being sent in the clear to SQL Server unless that connection is encrypted also. – Greg W Jul 08 '20 at 21:31
  • I already knew that option, but i had some problems and no one answered on my post. https://stackoverflow.com/questions/61679016/aspnet-regiis-always-shows-its-options – Emaborsa Jul 09 '20 at 07:47
  • @GregW: Yes that is a different wormcan. The only way to truly address that is to enforce encryption from the server side. Difficult to do after the fact. Of course the client could opt in to using encryption, but that isn't optimal. – Greg Askew Jul 09 '20 at 16:20
  • Does it matter with which user I encrypt? – Emaborsa Aug 27 '20 at 09:38
0

Create a user on the DMZ server and assign it to the application pool. Create a local user on the SQL server and give it permissions in SQL management studio

Timothy Frew
  • 582
  • 3
  • 7