 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / November 2007sql express 2005 security
Hi All, I'm going to implement a standalone solution to my company's partners, which is a VB.NET application with some $$ calculations. Some rate data are sensitive and we choose to use sql server express 2005 as local database engine. My concern is that, how can I protect my id & password to access sql express? At least I need to code it inside VB.NET SQLConnection in order to access the rate, and the code in VB.NET could be reversable, I afraid if someone can hack into the code and discover the login credential. Is there a way to prevent it? Thanks. Ming, You can use Windows authentication instead, and connect using a Windows domain or local account. You will not need to provide a username or password. Hope this helps, Ben Nevarez Senior Database Administrator AIG SunAmerica > Hi All, > [quoted text clipped - 12 lines] > > Thanks. Hi Ben, I can't get your meaning...?! Since my application will run on a standalone machine, I can't force user to login using specific username. If they can login, they can view the data, right? Also, how could I distribute the application to client with a predefine Windows a/c? Cna you tell me more about them? Thanks. "Ben Nevarez" <BenNevarez@discussions.microsoft.com> ¼¶¼g©ó¶l¥ó·s»D:02FE3BCB-EBA9-4F1E-ACBA-0C90031EA0D0@microsoft.com... > Ming, > [quoted text clipped - 26 lines] >> >> Thanks. Ming, You do not need to use a specific or predefined Windows username. You can use any Windows user you want. You just need to give this user the required permissions on the database. Regarding your question about "If they can login, they can view the data", only the user who has been given permissions to the database will be able to see the data. Of course somebody will need to consider who else has access to that computer, as maybe, if they have the permissions on Windows (not SQL Server), they can still copy the database files, read backup files, etc. Hope this helps, Ben Nevarez Senior Database Administrator AIG SunAmerica > Hi Ben, > [quoted text clipped - 41 lines] > >> > >> Thanks. Hi Ben, The problem is that I don't know what a/c would be available at client machine. So I must create one if I go for Windows authentication. If I use SQL authentication, and hardcode the username and password in it, I must grant permission to this a/c, and so, someone know the password can view the data. "Ben Nevarez" <BenNevarez@discussions.microsoft.com> ¼¶¼g©ó¶l¥ó·s»D:8DB8735B-6A47-4605-A0A2-52103D2D5744@microsoft.com... > Ming, > [quoted text clipped - 68 lines] >> >> >> >> Thanks. > I can't get your meaning...?! > Since my application will run on a standalone machine, I can't force [quoted text clipped - 4 lines] > Windows a/c? > Cna you tell me more about them? With Windows authentication, you don't include UserID and Password in the connection strint, instead you have: Integrated Security=SSPI; All that is needed to make sure that the user has access to the server and database. And, yes, this means that the user will be able to connect to the database by other means to view the data. But that is nothing you can prevent anyway.  SignatureErland Sommarskog, SQL Server MVP, esquel@sommarskog.se Books Online for SQL Server 2005 at http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx Books Online for SQL Server 2000 at http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx Or...you can encrypt your connection string inside your app.config file like how you do it in ASP.NET web.config. Here's a sample in C# http://davidhayden.com/blog/dave/archive/2006/03/14/2883.aspx >> I can't get your meaning...?! >> Since my application will run on a standalone machine, I can't force [quoted text clipped - 16 lines] > by other means to view the data. But that is nothing you can prevent > anyway. Thanks, this solution could be useful to me to some extend........! "bass_player [SBS-MVP]" <bass_player@mvps.org> ¼¶¼g©ó¶l¥ó·s»D:OS7s8$9LIHA.4308@TK2MSFTNGP05.phx.gbl... > Or...you can encrypt your connection string inside your app.config file > like how you do it in ASP.NET web.config. Here's a sample in C# [quoted text clipped - 21 lines] >> by other means to view the data. But that is nothing you can prevent >> anyway. > Or...you can encrypt your connection string inside your app.config file > like how you do it in ASP.NET web.config. Here's a sample in C# > http://davidhayden.com/blog/dave/archive/2006/03/14/2883.aspx I can't say that I understood those posts, but I fail to see that you encrypt something like a connection string in a program, and then decrypt it from within in the program without leaving all keys in place. Isn't it like locking your house and then leaving the key under the old apple tree? SignatureErland Sommarskog, SQL Server MVP, esquel@sommarskog.se Books Online for SQL Server 2005 at http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx Books Online for SQL Server 2000 at http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.