Re: Application Security

From: Nathan Bullock (nathan_kent_bullock_at_yahoo.ca)
Date: 08/26/03

• Next message: Ivan Medvedev [MS]: "Re: Meaning/consequences of Unrestricted=true"
• Previous message: John Bowman: "Re: Securing Dll Assmebly For Specified EXE Client"
• In reply to: Alek Davis: "Re: Application Security"
• Next in thread: Keith Patrick: "Re: Application Security"
• Reply: Keith Patrick: "Re: Application Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 26 Aug 2003 07:11:15 -0700

Thank you very much for the answer.

It is a Windows Forms application and the solutions you gave were
exactly the sort of ideas I was looking for. I already knew that our
solutions was very insecure but sometimes it is tough getting other
people to see this.

Anyway thanks again. Any continued ideas or comments on this subject
from other posters would definetely be appreciated.

Nathan Bullock

"Alek Davis" <alek_DOT_davis_AT_intel_DOT_com> wrote in message news:<OyfpTN2aDHA.300@TK2MSFTNGP12.phx.gbl>...
> Nathan,
>
> It would've helped if you defined what you meant by ".NET (C#) clients." Are
> these Windows Forms applications, ASP.NET applications, Windows services, or
> something else? Do they run on end users' desktops or on the servers? Who
> are the users of these applications? Are they end users or administrators
> responsible for installing and configuring these client applications? Does
> you application run in a Windows domain (Active Directory) environment or a
> workgroup? You see, depending on how you answer this question, the solution
> may be easy, not so easy, difficult, or very difficult.
>
> I assume that your C# clients are not distributed to end users. If they are
> and they do connect to the database server directly, you should probably
> rethink your application architecture. It is normally not recommended to
> allow front-end applications (such as Windows Forms or Web Forms) to connect
> to database servers directly. The recommended approach is: the front end
> (GUI) calls the middle tier implementing the business logic and the middle
> tier makes the database calls. Calls between the GUI and the business layer
> are normally done using remoting, Web services, or in cases of ASP.NET
> applications class libraries (since in the latter scenario the GUI
> generating logic already runs on a remote - i.e. Web - server). In this
> architecture, you are not concerned about end users being able to get your
> connection string info as much as if you would otherwise, although you still
> need to implement at least some protection against internal hackers (or risk
> of compromised system).
>
> Under certain conditions, the best option would be to use Integrated Windows
> authentication, so the C# clients would not have to specify SQL credentials
> when connecting to the database server (and therefore would not have to
> store them). Unfortunately, in quite a few cases, this is not feasible or
> efficient approach, so if you need to use SQL authentication, you have a
> challenge. There are certain options available, but in the end, you will
> basically have to pick between bad solutions and very bad solutions.
>
> You can review Microsoft recommendations related to this issue at
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp
> (Data Access Security), but all of their suggestions have limitations.
> "Writing Secure Code" by Michael Howard and David LeBlanc also has a chapter
> dedicated to this topic (it is not available online, though, but I would
> recommend this book to every developer). In my humble opinion,
> CipherSafe.NET (http://www.obviex.com/ciphersafe/) comes closest to the
> ideal solution, but depending on the type of your application, it may not
> work for you.
>
> --
> Alek
>

---

• Next message: Ivan Medvedev [MS]: "Re: Meaning/consequences of Unrestricted=true"
• Previous message: John Bowman: "Re: Securing Dll Assmebly For Specified EXE Client"
• In reply to: Alek Davis: "Re: Application Security"
• Next in thread: Keith Patrick: "Re: Application Security"
• Reply: Keith Patrick: "Re: Application Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Recoverd mahine from SP2 nightmare ... It contains advice ... using Windows XP "prettifications". ... applications you do not use. ... You should at least turn on the built in firewall. ... (microsoft.public.windowsupdate) Re: Slow startup and shutdown ... > applications that have always been present, ... The problem began before loading SP2 and hasn't changed. ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ... (microsoft.public.windowsxp.perform_maintain) Re: Ad Aware SE ... Run some of the other AntiSpyware applications first. ... If you don't wish to follow all of the advice immediately, ... using Windows XP "prettifications". ... You should at least turn on the built in firewall. ... (microsoft.public.windowsxp.general) Re: Boot slow ... many applications you have starting up, what OS (Home, Professional, 64bit, ... Microsoft has these suggestions for Protecting your computer from the ... using Windows XP "prettifications". ... You should periodically check your hard drivefor errors and defragment ... (microsoft.public.windowsxp.basics) performance problem when running java applications overnight ... I'm having problems with Java applications that I use and develop on ... Windows systems (I have seen on XP and Win2k, ... The next morning I come in and find that each of the java applications ... the Project menu drew it's gray background ... (comp.lang.java.programmer)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)