Is it a bad practice to use Integrated Security=True
on a production server in ASP.NET?
Nope - perfectly safe*
All you are doing is saying that you are going to use the credentials of (usually) the Windows user that the process is running under in order to authenticate with SQL Server (as opposed to supplying a username and password).
In fact in general using integrated security is considered more secure.
(*) Of course it always depends on your exact situation, but in the general case yes its fine.
This can be a good thing or a bad thing depending on the account that IIS is using to run the web application.
In any case, there is a distinct advantage that the SQL user id and password does not appear in the connection string; always a good thing.
However, you need to carefully setup your production environment. I would suggest that you create a distinct user account for IIS to use to run the web application. That user account could be configured to have access to only the SQL resources required by your application. That would protect you from have other applications easily compromised in the event that your web application's security is compromised.
I've heard of programmers doing acrobatics where a SQL connection string with the user id and password is loaded at run-time from an encrypted resource :-)
Answer to the title question:
You should not touch (less use) anything in production environment while you are having such questions or doubts!
Answer to body question:
SQL Server in production should not be enabled for SQL Server authentication at all
Update:
I am surprised to see that all answers use probabilistic "this depends", "in some cases", "more" possibilities.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With