Website to Database Security



  • I am in a Active Directory environment setting up an internal website on IIS. I will be using the Active Directory logged in user from browser to determine who the person is and show different information based on this user. I am butting heads with another internal group around here about security, and I would like some best practice information to help settle this disagreement.

    I would like to have a single domain account for the web application, and for ownership of the database. Users would have to be logged in to their computer via AD, then when they open the site our internal logic would determine the information they have access too, and the website would have its own internal list of roles and security. Then calls for information would use a single account between IIS and the database.

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases. This ensures that every database access can be tracked back to an individual account. I see this as overkill, and adding an unnecessary layer of complexity. Addition of roles wither it be website security, or active directory security would be done by an administrator, using their personal account.

    Does anyone have any citable sources, or just wants to convince me that one way or another is right?



  • @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.



  • @s.hackleman said in Website to Database Security:

    This ensures that every database access can be tracked back to an individual account.

    That doesn't make sense. You log that from the application, not the database.



  • @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.



  • @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.



  • @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.



  • @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.

    I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.



  • @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.

    I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.

    That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.



  • @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.

    I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.

    That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.

    🙂 Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?



  • @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.

    I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.

    That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.

    🙂 Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?

    In short non technical middle management making rules and enforcing them down on technical people.



  • @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.

    I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.

    That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.

    🙂 Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?

    In short non technical middle management making rules and enforcing them down on technical people.

    But how did they get that power and why is the security head not stepping in to fix a problem? Why are their managers not protecting the company from them?



  • @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    @scottalanmiller said in Website to Database Security:

    @s.hackleman said in Website to Database Security:

    The other department says this is a security risk, and is requiring passthrough security. This means that every user would be added to a AD group with rights to the website and databases.

    Well no. I'm not sure where passthrough security is coming from to begin with, maybe some more clarity there. But I'm not seeing it.

    The users would need to be in an AD group with access to the website, yes. But none of them would have ANY access to the database, of course. Only the application would have access to the database. So something is wrong with that description compared to how you described it above.

    I know, but no I described it right. That is what I am fighting. I am in the process of making my case for sanity.

    So the other department doesn't know how applications or databases work? Just ignore them then, you won't be able to convince them without teaching them way too much to be worth it.

    I wish I could, but in this case I have to get them on board. I wish I had a better response than office politics, but I know you understand how silly it can be sometimes.

    I'd go to management and discuss the security risks of "random, non-technical input" and list this process as "social engineering endangering the company at an endemic management level." This is a reckless process that someone (maybe the CEO) should know about.

    That is the case I am building, just checking my own sanity, and looking for information that is easy to digest.

    🙂 Anything else will be impossible because defending against "random inaccurate statements" isn't really plausible. But why would someone be introducing this risk at any level is a serious question. What's their purpose in doing this?

    In short non technical middle management making rules and enforcing them down on technical people.

    But how did they get that power and why is the security head not stepping in to fix a problem? Why are their managers not protecting the company from them?

    Next time I see you in person, I'll buy you a beer, and we can break it all down.



  • I'm curious how this other group even got involved? Who are they to the project?


Log in to reply