trusted_connection=yes

[Scott Pendleton]

I do not understand the usefulness, from a security
standpoint, of specifying "trusted_connection=yes" in the
SQL Server connection string in my Active Server Pages. It
seems like this:

Man: Give me all your money.
IIS: No, because you didn't say "trusted_connection=yes".
Man: trusted_connection=yes
IIS: Ok, here it is!

Do you see my point? What's the value of requiring a
trusted connection if, to get one, all you have to do is
ask for it?

 

[ranjeet]

i don't see your point.
the security is in having the asp writer declare security access - if you
didn't have it then web users couldn't get data from the data source

in you example man is the user underwhich the web page runs - so if the db
admin allows the iwam account (or whatever user the iis web user will
access site with) access to the db then you can see the database (with
sqlserver the account can be monitored and appropriate access permissions
applied at the user level).

I hope that helps.

Best Regards,

Ranjeet.