Securing an ASRNET application with a SQL Server back end is an enormously complex task. People have written books about building secure ASRNET applications and about securing SQL Server systems. However, relatively little has been written about protecting data by stepping back and looking at the entire application ecosystem. Thus. I'll discuss how to secure that ecosystem, including the communication channels between the ASRNET application and SQL Server, with the aim of protecting data both in motion and at rest in the database. This is still a large topic, so I'll concentrate on what I think is most important, and what developers and DBAs often overlook.

A Secure Starting Point

SQL Server databases and servers are remarkably secure when you first instali them. Unfortunately, most DBAs insist on actually doing something useful with SQL Server, which involves punching all kinds of holes in the security of a server or instance. They add logins, add databases with code in them, grant access to users and applications, and do other things that make SQL Server useful but far less secure than it started out in its pristine, newly installed state.

Because ASRNET provides a blank slate for an application, it doesn't start out secure. However, it provides plenty of features that let security-aware developers create secure web applications. Security starts with application conception and continues through the entire span of its life.

I'm going to assume that you've already hardened your ASRNET application, your SQL Server installation, and any intermediate tiers, including the servers on which they run. In other words. I'm assuming that you're protecting servers lo a degree appropriate for the sensitivity and value of the data in the system and you have policies and procedures in place to constantly review and evaluate your security in the face of changing environments and emerging threats. Microsoft has made an enormous amount of free information available on how to do these things on MSDN and Tech Net, and there is even more on third-parly websiles. If you haven't done this step yet. go do that right now because your data and servers are probably already under attack. Here are a few...