How to control access to a database on a Web server in Windows Server 2003

This step-by-step article describes several methods that you can use to control access to a database that is published on a Microsoft Internet Information Services (IIS) 6.0-based Web server.

Use security features in the database

You can use the built-in security permissions of the database program or the database management system to control user access to the database. By using the integrated user authentication methods in your database, you can control access to the database with a fine level of granularity.

When you use the Database Results Wizard in Microsoft FrontPage 2002 to create a Web page that has access to a database, you can use password protection for that database connection.

To view security-related information in Microsoft SQL Server, search for "security" in SQL Server Books Online.

Control access by using the data source name for a database management system

The data source name (DSN) that you create on the Web server is used by an external program or by an Active Server Pages (ASP) page to refer to the database that you want to publish on your Web site.

To view the DSN password settings for a database management system such as Microsoft SQL Server, follow these steps:

1. Log on to the Web server computer as administrator.
2. Click Start, point to Administrative Tools, and then click Data Sources (ODBC).
3. Click the System DSN tab, and then click the name that corresponds to the DSN driver that you want to configure. For example, you might click SQL Server.
4. Click Configure, verify the SQL Server name, and then click Next.
5. Under How should SQL Server verify the authenticity of the login ID, use one of the following methods:
   • If you want to use integrated Windows authentication, click With Windows NT authentication using the network login ID.
     
     -or-
   • If you want to use integrated SQL Server authentication, click With SQL Server authentication using a login ID and password entered by the user.
     
     Note If this option is selected, type a login ID and a password before you continue.
6. Click Next two times, and then click Finish.
7. Click OK two times.

Note To connect to a SQL Server 2005 server, create a DSN by selecting SQL Native Client as the driver.

Use NTFS file system permissions to restrict access to files or to folders

You can use Microsoft Windows Server 2003 NTFS file system permissions to restrict access to certain folders and to certain files in your Web.

For additional information about how to use NTFS permissions to control access to files and to folders in your Web site and other methods you can use to help secure your Web, click the following article number to view the article in the Microsoft Knowledge Base:

Use subwebs to restrict access to a section of the Web site

When you use Microsoft FrontPage to create your Web, you can create security boundaries through the use of subwebs. In FrontPage each subweb can maintain separate security settings. You can put your database results pages or put your ASP pages that refer to the database in a subweb that contains unique permissions.

For additional information about how to create a subweb and how to assign unique permissions, click the following article number to view the article in the Microsoft Knowledge Base:

Use an appropriate Web server authentication method

Use an appropriate Web server authentication method for users who try to obtain access to your database. Database user authentication can depend on the protocol that is used for the database connection. For example, if you decide to use the Named Pipes default connection protocol for SQL Server, authentication of Windows user account credentials may occur with SQL Server authentication.

For additional information about how to connect to a database through IIS, click the following article number to view the article in the Microsoft Knowledge Base: For additional information about SQL Server security, visit the following Microsoft Web sites:

SQL Server 2000 SP3 security features and best practices

Security considerations for SQL Server