Module 7: Securing Microsoft SQL Server Contents Overview Lesson: SQL Server Connections and Security Lesson: SQL Server Role-Based Security 15 Lesson: Securing SQL Server Communication 32 Lesson: Preventing SQL Injection Attacks 36 Review 46 Lab 7: Securing Microsoft SQL Server Data 48 Information in this document, including URL and other Internet Web site references, is subject to change without notice Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred Complying with all applicable copyright laws is the responsibility of the user Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property  2002 Microsoft Corporation All rights reserved Microsoft, MS-DOS, Windows, Windows NT, ActiveX, Active Directory, Authenticode, Hotmail, JScript, Microsoft Press, MSDN, PowerPoint, Visual Basic, Visual C++, Visual Studio, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries The names of actual companies and products mentioned herein may be the trademarks of their respective owners Module 7: Securing Microsoft SQL Server Instructor Notes Presentation: 75 minutes Lab: 30 minutes This module provides students with an explanation of how to use Microsoft® SQL Server™ security features to protect Web application data After completing this module, students will be able to connect securely to a SQL Server database, and use the SQL Server security model to protect a Web application against SQL injection attacks After completing this module, students will be able to: ! ! Create different types of SQL Server roles and assign members to those roles ! Secure SQL Server communication channels by using connection application programming interfaces (APIs) ! Required materials Use Microsoft Windows® Authentication or SQL Server Authentication to authenticate SQL Server connections Secure SQL Server against SQL injection attacks To teach this module, you need the following materials: ! ! Preparation tasks Microsoft PowerPoint® file 2300A_07.ppt Hypertext Markup Language (HTML) code sample file 2300A_07_code.htm To prepare for this module: ! Read all of the materials for this module ! Complete the practices and lab ! Read Chapter 6, “SQL Server Security Overview,” in Designing Secure Web-Based Applications for Microsoft Windows 2000 by Michael Howard (Redmond, Microsoft Press®), 2000 ! Read Module 1, “SQL Server Overview,” in Course 2072, Administering a Microsoft SQL Server 2000 Database ! Visit the Microsoft Security page at http://www.microsoft.com/security/ security_bulletins/ms02020_sql.asp iii iv Module 7: Securing Microsoft SQL Server How to Teach This Module This section contains information that will help you to teach this module Lesson: SQL Server Connections and Security This section describes the instructional methods for teaching each topic in this lesson SQL Client Identity Explain the two types of identities that can be used to connect to SQL Server Inform the class that this topic provides the overview of the two identities, Windows user and SQL Server user Do not cover the identities in detail with this topic The rest of module explains the two identities in detail and provides the advantages and disadvantage of both of the identities Overview of Authentication in SQL Server Explain the two authentication methods that are used to authenticate the client based on its identity For the Windows user identity, Windows Authentication is used, and for the SQL User Identity, SQL Server Authentication is used Compare the two authentication choices and emphasize that Windows Authentication is generally preferred because it offers more security services Also, explain the situations in which using SQL Server Authentication is more useful Configuring the SQL Server Security Mode Explain the two security modes that are available in SQL Server: Windows only and SQL Server and Windows Inform students that the Windows only and SQL Server and Windows security modes are also known as integrated security mode and mixed security mode, respectively When explaining the security modes, use Enterprise Manager on the London computer to show the security mode setting that is on the Glasgow computer Security Configuration and Connection Pooling Explain how SQL Server security configuration affects database connection pooling Also, explain how students can improve the database connection pooling by limiting the user identities that are presented to SQL Server Show the Microsoft MSDN® documentation for the SqlConnection class to show all of the possible connection string values Connecting to SQL Server Explain the connection string values that specify the type of authentication that will be used to authenticate clients SQL Server Logins Explain the two logins that exist in SQL Server by default: sa and the Local administrators group Emphasize to the class that these two logins have access to all of the databases in the SQL Server instance Therefore, these logins are not good choices for Web application logins Use Enterprise Manager to show the default logins to the students SQL Server Permissions Explain the two categories of SQL Server permissions: object and statement Also, inform students about the permissions that can be granted, denied, or revoked under each category Module 7: Securing Microsoft SQL Server v Lesson: SQL Server Role-Based Security Fixed Server Roles Use Enterprise Manager and expand to the logins and then to server roles Show the students the list of server roles Database Roles Inform students about the three types of database roles that exist on each database in SQL Server The following three topics provide details of the three types of database roles; therefore, not go into details with this topic Fixed Database Roles Explain all of the roles that are part of the fixed database role User Database Role Show the class how to add the user database role into a database Application Database Role Show the class how to add the application database role into a database Demonstration: Adding Roles and Logins to SQL Server Introduce the demonstration by explaining the Internet Information Services (IIS) authentication modes for the TailspinToys and TailspinToysAdmin Web applications Ask the students how each Web application should connect to SQL Server Use these answers to further ask what configuration changes the students would make to SQL Server to accomplish configuration Best Practices for Connecting to SQL Server This topic describes the best practices for connecting to SQL Server Emphasize to the class that these best practices must be followed when developing Web applications that connect to SQL Server Instructor-Led Practice: Connecting to SQL Server The focus of this practice is connection strings Ask students why a particular connection string succeeded or failed Lesson: Securing SQL Server Communication Overview of SQL Connection APIs The focus for this topic is the communication channel between the Web server and SQL Server Secure Communication with SQL Server You can optionally run the lab after this topic and then return to the final lesson after the lab Lesson: Preventing SQL Injection Attacks Overview of SQL Injection Attacks Explain the SQL injection attack and provide examples of SQL injection attacks Instructor-Led Practice: Using an SQL Injection Attack to Gain Access to a Web Application The focus of this instructor-led practice is to show how an SQL injection attack is performed Protected Against SQL Injection Attacks Explain the best practices that must be followed to protect the Web application against SQL injection attacks Using SQL parameters in ADO Use the Code Example link that is given at the bottom of the slide to show an example of using SQL parameters in ActiveX® Data Objects (ADO)–based Web applications vi Module 7: Securing Microsoft SQL Server Using SQL parameters in ADO.NET Use the Code Example link that is given at the bottom of the slide to show an example of using SQL parameters in Microsoft ADO.NET–based Web applications Demonstration: Securing a Web Application Against an SQL Injection Attack This demonstration shows how to secure a Web page against an SQL injection attack The Web page will be secured by using a parameterized SQL query instead of an SQL query that is built using string concatenation Reiterate that using parameters prevents the form field values from being executable SQL Lab 7: Securing Microsoft SQL Server Data The Web pages in both the TailspinToys and TailspinToysAdmin Web applications must read data from the TailspinToys SQL Server database In this lab, students will create connection strings to connect to SQL Server and then call utility functions to read data from the SQL Server database Module 7: Securing Microsoft SQL Server vii Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware Lab Setup To complete this lab, you can continue working in the Tailspin Toys Microsoft Visual Studio® NET projects that you have already created, or you can start with new files If you want to start with new files, you must copy the appropriate starter projects to the lab virtual root directories There are separate starter projects for the Active Server Pages (ASP) and the Microsoft ASP.NET exercises ! Create the Web applications for the ASP exercises Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab07\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab07\ASP\Starter\TailspinToysAdmin to the TailspinToysAdmin IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin ! Create the Web applications for the ASP.NET exercises Copy all of the contents of the ASP.NET starter folder install_folder\ Labfiles\Lab07\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToys.NET Copy all of the contents of the ASP.NET starter folder install_folder\ Labfiles\Lab07\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET Edit the file c:\Inetpub\wwwroot\TailspinToysAdmin.NET\Web.config and change the tag to be , where computerName is the name of your computer viii Module 7: Securing Microsoft SQL Server ! Configure IIS authentication Run the IIS administrative tool Expand the computer node and the Default Web Site node in the tree Right-click the TailspinToysAdmin virtual directory, and click Properties Click Directory Security In the Anonymous access and authentication control group, click Edit Clear the Anonymous access check box Click OK twice to save your changes Right-click the TailspinToysAdmin.NET virtual directory, and click Properties Click Directory Security 10 In the Anonymous access and authentication control group, click Edit 11 Clear the Anonymous access check box 12 Click OK twice to save your changes ! Configure SQL Server (instructors only) • You must perform the “Adding Roles and Logins to SQL Server” demonstration in Module 7, “Securing Microsoft SQL Server,” in Course 2300, Developing Secure Web Applications for this lab to function properly Lab Results Performing the lab in this module introduces the following configuration change: The element of the Web.config file for TailspinToys.NET and TailspinToysAdmin.NET will be modified to use Integrated Windows authentication Module 7: Securing Microsoft SQL Server Overview ! SQL Server Connections and Security ! SQL Server Role-Based Security ! Securing SQL Server Communication ! Preventing SQL Injection Attacks *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction In Web applications, a database is an important component that must be secured against attack Understanding the security features of Microsoft® SQL Server and how to use them effectively is critical for developing secure Web applications In this module, you will learn how to use SQL Server security features to protect Web application data Note The code samples in this module are provided in both Microsoft Visual Basic® NET and C# Objectives After completing this module, you will be able to: ! Use Microsoft Windows® Authentication or SQL Server Authentication to authenticate SQL Server connections ! Create different types of SQL Server roles and assign members to those roles ! Secure SQL Server communication channels by using connection application programming interfaces (APIs) ! Secure SQL Server against SQL injection attacks Module 7: Securing Microsoft SQL Server Lesson: SQL Server Connections and Security ! SQL Client Identity ! Overview of Authentication in SQL Server ! Configuring the SQL Server Security Mode ! Security Configuration and Connection Pooling ! Connecting to SQL Server ! SQL Server Logins ! SQL Server Permissions *****************************ILLEGAL FOR NON-TRAINER USE****************************** Introduction SQL Server provides several security features that can be used to secure Web application data SQL Server also integrates with Windows operating systems and makes use of the secure Windows authentication services To secure access to SQL Server, the administrator can create user logins, configure login permissions, and assign roles to the user logins The permissions and roles determine which actions users can perform, in addition to what kind of data the users can access The primary goal in managing SQL Server security is to restrict database permissions so that users are less likely to execute harmful commands and procedures Lesson objectives After completing this lesson, you will be able to: ! Explain the SQL Server authentication modes and identify when to use each mode ! Configure SQL Server for authentication modes ! Select the appropriate connection method for accessing SQL Server ! Define the SQL Server permission types and identify when to use each type of permission ! Create logins to allow users to connect to SQL Server ! Assign permission to the users 46 Module 7: Securing Microsoft SQL Server Review ! SQL Server Connections and Security ! SQL Server Role-Based Security ! Securing SQL Server Communication ! Preventing SQL Injection Attacks *****************************ILLEGAL FOR NON-TRAINER USE****************************** What are the two types of authentication that SQL Server can use? Windows Authentication and SQL Server Authentication If you want to force client applications to use Windows user accounts to connect to a SQL Server instance, how would you configure SQL Server? Set the SQL Server authentication to Windows only Is the sa login a good choice for a Web application connection to SQL Server? Why or why not? No The sa login is a member of the System Administrators and db_owner roles and has full control over a SQL Server instance If a SQL Server instance is configured for SQL Server and Windows security, how does a client application use SQL authentication when connecting to SQL Server? By using the "uid=username;pwd=password" connection string parameters What are the different types of database roles in SQL Server? Fixed, user, and application Module 7: Securing Microsoft SQL Server What are the different kinds of database permissions in SQL Server? Object and statement How you prevent an SQL injection attack? Do not use string concatenation to build SQL queries Instead, use parameterized SQL queries or stored procedures 47 48 Module 7: Securing Microsoft SQL Server Lab 7: Securing Microsoft SQL Server Data ! ASP Exercise 1: Setting Connection Strings ! ASP Exercise 2: Calling SQL Server ! ASP.NET Exercise 3: Setting Connection Strings ! ASP.NET Exercise 4: Calling SQL Server *****************************ILLEGAL FOR NON-TRAINER USE****************************** Objectives After completing this lab, you will be able to: ! Create ADO and ADO.NET connection strings for SQL authentication and Windows authentication ! Connect to SQL Server by using connection strings ! Use a parameterized stored procedure Note This lab focuses on the concepts in this module and as a result may not comply with Microsoft security recommendations For instance, this lab does not check all error conditions Prerequisites Before working on this lab, you must have: ! Experience creating ASP and ASP.NET Web pages ! Experience using ADO and ADO.NET to communicate with SQL Server Module 7: Securing Microsoft SQL Server Scenario 49 In the labs for Course 2300, Developing Secure Web Applications, you will create two Web applications, TailspinToys and TailspinToysAdmin By accessing the TailspinToys Web application, users will be able to get a list of the products that are created by Tailspin Toys, and resellers will be able to view the status of their orders By accessing the TailspinToysAdmin Web application, employees will be able to create new reseller accounts and update the status of reseller orders The Web pages in both the TailspinToys and TailspinToysAdmin Web applications need to read data from the TailspinToys SQL Server database In this lab, you will create connection strings to connect to SQL Server and then call utility functions to read data from the SQL Server database Note The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious No association with any real company, organization, product, domain name, e-mail address, logo, person, places, or events is intended or should be inferred Estimated time to complete this lab: 30 minutes 50 Module 7: Securing Microsoft SQL Server Exercise Lab Setup To complete this lab, you can either continue working in the Tailspin Toys Visual Studio NET projects that you have already created, or you can start with new files If you want to start with new files, you must copy the appropriate starter projects to the lab virtual root directories There are separate starter projects for the ASP and the ASP.NET exercises ! Create the Web applications for the ASP exercises Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab07\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory at C:\Inetpub\wwwroot\TailspinToys Copy all of the contents of the ASP starter folder install_folder\Labfiles\ Lab07\ASP\Starter\TailspinToysAdmin to the TailspinToysAdmin IIS virtual directory at C:\Inetpub\wwwroot\TailspinToysAdmin ! Create the Web applications for the ASP.NET exercises Copy all of the contents of the ASP.NET starter folder install_folder\ Labfiles\Lab07\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToys.NET Copy all of the contents of the ASP.NET starter folder install_folder\ Labfiles\Lab07\ASPXVB\Starter\TailspinToysAdmin.NET to the TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\ TailspinToysAdmin.NET Edit the file c:\Inetpub\wwwroot\TailspinToysAdmin.NET\Web.config and change the tag to be , where machineName is the name of your computer Module 7: Securing Microsoft SQL Server 51 ! Configure IIS authentication Run the IIS administrative tool Expand the computer node and the Default Web Site node in the tree Right-click the TailspinToysAdmin virtual directory and click Properties Click Directory Security In the Anonymous access and authentication control group, click Edit Clear the Anonymous access check box Click OK twice to save your changes Right-click the TailspinToysAdmin.NET virtual directory and click Properties Click Directory Security 10 In the Anonymous access and authentication control group, click Edit 11 Clear the Anonymous access check box 12 Click OK twice to save your changes ! Configure SQL Server (instructors only) • If you did not perform the “Adding Roles and Logins to SQL Server” demonstration in Module 7, “Securing Microsoft SQL Server,” you must it now 52 Module 7: Securing Microsoft SQL Server ASP Exercise Setting Connection Strings In this exercise, you will set the connection strings for the TailspinToys and TailspinToysAdmin ASP Web applications ! Modify the TailspinToys connection string In Visual Studio NET, open the 2300Labs solution Open the DBConn.inc file in the TailspinToys project Modify the strConn variable to use the WebUser login for SQL authentication by setting the variable to the following connection string: strConn = "Provider=SQLOLEDB;" & _ "uid=WebUser;pwd=P@ssword8;" & _ "Initial Catalog=TailspinToys;Data Source=Glasgow" Save and close the DBConn.inc file ! Modify the TailspinToysAdmin connection string In Visual Studio NET, open the DBConn.inc file in the TailspinToysAdmin project in the 2300Labs solution Modify the strConn variable to use Integrated Windows authentication by setting the variable to the following connection string: strConn = "Provider=SQLOLEDB;" & _ "Trusted_Connection=yes;" & _ "Initial Catalog=TailspinToys;Data Source=Glasgow" Save and close the DBConn.inc file Module 7: Securing Microsoft SQL Server 53 ASP Exercise Calling SQL Server In this exercise, you will add code to use the new connection strings to communicate with SQL Server ! View the implementation of GetSavedPassword In Visual Studio NET, open the UsersDB.inc file in the TailspinToys project in the 2300Labs solution Locate the GetSavedPassword function Which variable is used to open a connection to SQL Server? The strConn variable in the DBConn.inc file Is this function susceptible to an SQL injection attack? Why or why not? No It uses a parameterized stored procedure call instead of creating an SQL query by using string concatenation Close the UsersDB.inc file ! Change the Login.asp page to call GetSavedPassword In Visual Studio NET, open the Login.asp page in the TailspinToys project in the 2300Labs solution If necessary, switch to the Hypertext Markup Language (HTML) view of the Login.asp file Locate the following comment and code: 'temporary code to check if password is valid 'this code will be changed in subsequent labs If sPassword "" Then bValidPassword = True End If Change the code to call the GetSavedPassword function to read the saved password from the database and compare the entered password with the saved password 54 Module 7: Securing Microsoft SQL Server If the password is valid, call the GetUserID function to read the customer ID for the logged-on user and store the ID in the custID Session variable Your code should look like the following bold code: 'temporary code to check if password is valid 'this will be fixed in a subsequent lab Dim retval Dim sSavedPassword Dim iId retval = GetSavedPassword(sUser, sSavedPassword) If retval = Then ' Username is valid, check password If sPassword = sSavedPassword Then 'Read UserID from database retval = GetUserID(sUser, iId) If retval = then bValidPassword = True End If End If End If If (bValidPassword) Then sLogin = "Login successful" Session("custID") = iId Response.Redirect "Resellers.asp" Else sLogin = "Login failed" End If Save and close the Login.asp page ! Test the Login.asp page Open Internet Explorer and browse to the http://localhost/TailspinToys/ Login.asp page Type your assigned user name with a password of P@ssword8, and then click Log On The connection string is used to connect to SQL Server by using SQL authentication The user name is found and the password is verified You are redirected to the reseller's home page, Resellers.asp On the reseller's home page, click Order Status The OrderStatus.asp page displays the orders for just this customer Module 7: Securing Microsoft SQL Server 55 ! View the implementation of the ChangeOrderStatus.asp page In Visual Studio NET, open the ChangeOrderStatus.asp page in the TailspinToysAdmin project in the 2300Labs solution Notice that the script at the top of the page calls the ChangeOrderStatus function Open the OrdersDB.inc file in the TailspinToysAdmin project Locate the ChangeOrderStatus function Notice that the ChangeOrderStatus function uses the strConn connection string from the DBConn.inc file ! Test the ChangeOrderStatus.asp page Open Internet Explorer and browse to the http://localhost/ TailspinToysAdmin/private/ChangeOrderStatus.asp page Type in the Order number box Type a New status of shipped Click Change Status The connection string is used to connect to SQL Server by using Windows authentication The order status is successfully changed 56 Module 7: Securing Microsoft SQL Server ASP.NET Exercise Setting Connection Strings In this exercise, you will set the connection strings for the TailspinToys.NET and TailspinToysAdmin.NET projects ! Modify the TailspinToys.NET connection string In Visual Studio NET, open the 2300Labs.NET solution Open the Web.config file in the TailspinToys.NET project In the element, modify the TailspinToysDSN value to use the WebUser login for SQL authentication by setting the value attribute of the TailspinToysDSN key to the following connection string: Save and close the Web.config file ! Modify the TailspinToysAdmin.NET connection string In Visual Studio NET, open the Web.config file in the TailspinToysAdmin.NET project in the 2300Labs.NET solution In the element, modify the TailspinToysDSN value to use Integrated Windows authentication with SQL Server by setting the value attribute of the TailspinToysDSN key to the following connection string: Save and close the Web.config file Module 7: Securing Microsoft SQL Server 57 ASP.NET Exercise Calling SQL Server In this exercise, you will add code to use the new connection strings to communicate with SQL Server ! View the implementation of GetSavedPassword In Visual Studio NET, expand the Tailspin_ReadDBUtils project in the 2300Labs.NET solution Open the ProductsDB.vb file Locate the DBConnection class Where does the ConnectionString property locate the connection string to use? The ConnectionString property uses the TailsinToysDSN value that you set in the previous exercise The ConnectionString property reads the connection string from the configuration file Locate the GetSavedPassword method in the UsersDB class How does the GetSavedPassword method get the connection string? The first line of code in the GetSavedPassword method uses the DBConnection.ConnectionString property to open a connection with SQL Server Close the ProductsDB.vb file 58 Module 7: Securing Microsoft SQL Server ! Change the Login.aspx page to call GetSavedPassword In Visual Studio NET, expand the TailspinToys.NET project in the 2300Labs.NET solution Open the Login.aspx page Right-click in Design view, and then click View Code to open the Login.aspx.vb code-behind page Locate the following comment and code in the cmdLogin_Click event procedure: 'temporary code to check if password is valid 'this code will be changed in subsequent labs If txtPassword.Text "" Then bValidPassword = True End If Change the code to call the GetSavedPassword method in the Tailspin_ReadDBUtils.UsersDB class to read the saved password from the database, and then compare the entered password with the saved password Module 7: Securing Microsoft SQL Server If the password is valid, call the GetUserID method of the Tailspin_ReadDBUtils.UsersDB class to read the customer ID for the logged-on user, and then use this value as the name of the authorization ticket in the calls to FormsAuthentication.GetRedirectUrl, FormsAuthentication.SetAuthCookie, and FormsAuthentication.RedirectFromLoginPage Your code should look like the following bolded code: 'temporary code to check if password is valid 'this code will be changed in subsequent labs Dim strSavedPassword As String Dim retValue As Integer Dim intUserID As Integer retValue = _ Tailspin_ReadDBUtils.UsersDB.GetSavedPassword( _ txtUsername.Text, strSavedPassword) If retValue = Then ' Valid username If txtPassword.Text = strSavedPassword Then ' Read UserID from database retValue= Tailspin_ReadDBUtils.UsersDB.GetUserID( _ txtUsername.Text, intUserID) If retValue = Then ' Login successful bValidPassword = true End If End If End If 'Set user login message If bValidPassword Then lblInfo.Text = "Login successful" Dim sID As String = CStr(intUserID) If (FormsAuthentication.GetRedirectUrl(sID, _ False).IndexOf("default.aspx") = -1) Then FormsAuthentication.RedirectFromLoginPage(sID, _ False) Else FormsAuthentication.SetAuthCookie(sID, False) Response.Redirect("Resellers/Resellers.aspx") End If Else lblInfo.Text = "Login failed" End If Save and close the Login.aspx.vb code-behind page 59 60 Module 7: Securing Microsoft SQL Server ! Test the Login.aspx page In Visual Studio NET, build the TailspinToys.NET project Open Internet Explorer and browse to the http://localhost/ TailspinToys.NET/Resellers/Resellers.aspx page When prompted, type your assigned user name with a password of P@ssword8, and then click Log On The connection string is uses SQL authentication to connect to SQL Server The user name is found and the password is verified Login.aspx redirects you to the Resellers.aspx page On the reseller's page, click Order Status The OrderStatus.aspx page displays the orders for just this customer ! View the implementation of the ChangeOrderStatus.aspx page In Visual Studio NET, expand the TailspinToysAdmin.NET project in the 2300Labs.NET solution Open the ChangeOrderStatus.aspx page Right-click in Design view, and then click View Code to open the ChangeOrderStatus.aspx.vb code-behind page Locate the cmdChangeStatus_Click event procedure The cmdChangeStatus_Click event procedure calls the Tailspin_WriteDBUtils.OrdersDB.ChangeOrderStatus method to update the order status in the database In Visual Studio NET, expand the Tailspin_WriteDBUtils project in the 2300Labs.NET solution Open the OrdersDB.vb file Locate the ChangeOrderStatus method in the OrdersDB class The ChangeOrderStatus method again uses the DBConnection.ConnectionString property to open a connection with SQL Server This ConnectionString property will again be read from the TailspinToysDSN value in the Web.config file ! Test the ChangeOrderStatus.aspx page Build the TailspinToysAdmin.NET project Open Internet Explorer and browse to the http://localhost/ TailspinToysAdmin.NET/Private/ChangeOrderStatus.aspx page Change the status of an existing order number, and then click Change Status The connection string uses Windows authentication to connect to SQL Server The order status is successfully changed ... security_bulletins/ms02020_sql.asp iii iv Module 7: Securing Microsoft SQL Server How to Teach This Module This section contains information that will help you to teach this module Lesson: SQL Server Connections... be the trademarks of their respective owners Module 7: Securing Microsoft SQL Server Instructor Notes Presentation: 75 minutes Lab: 30 minutes This module provides students with an explanation... data from the SQL Server database Module 7: Securing Microsoft SQL Server vii Customization Information This section identifies the lab setup requirements for a module and the configuration changes