Pooling would NOT be defeated because in this scenario all users run in the
context of the IUSR account. If you use NTLM or basic auth then all bets are
off.

Chip

"John Munyan" <johnmattrition.ws> wrote:
> Do the right thing - never use SQL Server's native security. Use a
> trusted connection (using the I_USR account) to a limited set of stored
> procedures that control all access to the database - just like Microsoft
> recommends.
> You'll never have the username or password lying around in a connection
> string again. If someone breaksinto the SAM then you've got a lot more
> to worry about than the loss of the I_USR account password. ;-)
>
> But isn't their a significant performance hit when using this form of
> authentication? Can connection pooling be used? I was under the
> impression that every db access would cause a new connection to be
> formed and therefore using the integrated auth would be frowned on in a
> performance type light? Am I all wet?
>
> Thanks,
>
> John
>
> -----Original Message-----
> From: Chip Andrews [mailto:chipandrewsusa.net]
> Sent: Thursday, January 10, 2002 10:14 AM
> To: Eli Allen; focus-mssecurityfocus.com
> Subject: Re: [SQL connection string security]
>
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]