Security is a growing concern in the Internet/intranet development community. It is a constant trade off between access to services and data, and protection of those services and data. This is really the heart of the security dilemma—if your site is too secure it could lose its value. On the other hand, without appropriate security measures, you might find someone corrupting your database for you, or selling your company's secrets to your competitors.
Security issues can be addressed at three different levels—the features offered by the Web server, those offered by the operating system, and those offered by the data source being accessed. In the Microsoft world, the operating system and the Web server are tightly coupled, as are the security features they offer.
Internet Information Server (IIS) supports advanced security facilities, such as a Secure Sockets Layer (SSL) which provides a security scheme for bulk-encrypting data between the server and its clients, when private communication is required. In addition, IIS completely integrates with the object-level and user-level security services provided by Windows NT. This can be used to protect a specific area of your site, such as DSN definition files, to which you don't want people to have access. In Chapter 9, we'll be looking at Web site security in a lot more detail.
However, as powerful as these facilities are, they will generally need to be supplemented with additional security measures that can be used to protect the data accessed by your site. In this section we will take a brief look at SQL Server security, and see what features and capabilities are available in this product. Then we will apply these features to accessing a SQL Server from an ASP page. Finally, we will take a look at a few simple steps you can take to protect your site and its data.