| Security Issues | | | When the XML-based HTTP access to SQL Server was introduced, one of the biggest concerns was that anonymous access is, by default, given to the virtual directory created during this process. Giving anonymous access, coupled with the option of assigning SQL Server security credentials at the virtual directory level, opens that data source to anyone with HTTP access.
To lock this down, do not specify security using SQL Server credentials. Instead, select Windows Integrated Authentication from the database and the virtual directory used for the updategrams. Secure the database (that the data source points to) using a custom Windows 2000 local security group. You can then add the Windows 2000 accounts that you want to be able to access the tables. This does add the burden of managing security at the database level (something most COM+ developers spend energy moving away from), but it is better than the alternative of disabling URL access altogether.
| |