Hello List - I was putting together a cheat sheet on security considerations of a database account for a web application. I know I am overlooking few points so I thought I will reach out to the community to add to the list. Here is what I have put so far Database Configuration Cheat Sheet 1. Windows Authentication should be preferred over SQL authentication (if possible) 2. If using SQL Authentication maybe do IP binding? (thoughts?) 3. Database passwords should not be stored in cleartext in the configuration file 4. Database credentials should not be hard coded in the code 5. Application should not connect to the database with an admin account 6. Application account should have least privileges 7. Application account should not have access to any system tables or stored procedures 8. Application account should not have privileges like Drop Table, Create Stored Procedure or Triggers Thoughts/Comments? Thanks, Anurag Agarwal MyAppSecurity Cell - 919-244-0803 Email - anurag@myappsecurity.com Website - http://www.myappsecurity.com Blog - http://myappsecurity.blogspot.com LinkedIn - http://www.linkedin.com/in/myappsecurity Twitter: https://twitter.com/#!/myappsecurity