Re: Application Security

From: Nathan Bullock (nathan_kent_bullock_at_yahoo.ca)
Date: 08/28/03 

Date: 28 Aug 2003 13:07:16 -0700

Thank You to everyone who has replied so far.

As I have continued to look into this issue of application security I
am wondering, is there anything wrong with having SQL server
completely handle the security of the application?

What I mean is that every user of the application (a windows form) has
their own account on SQL Server, these users only have access to
specific views and stored procedures (we let these things limit a
users access to data). To log into the application the user enters
their SQL server username and password (this means we don't have to
concern ourselves with keeping these items secure, SQL server does it
for us), and we don't care if they have access to the SQL Server
connection string (since even if they use something like enterprise
manager they still only have access to, and can only modify, the data
they are supposed to have access to).

Any security set up in the application can just modify permissions in
SQL server. The views can be dynamic to show different data to
different users. The stored procedures can check if they are allowed
to change, update, or delete specific items. etc.

Any way is this a legitimate way to do things? Or is it just plain
dangerous?

Nathan Bullock

Relevant Pages

  • Re: SQL or Access DB
    ... As far as encryption goes though... ... with Sql Server you can use SQL DMO and encrypt your stored procedures ... installation - Security was absolutely critical and in most instances, ... > then we create a nice gui around this database and sell it to automotive ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Is there any way to prevent hacker trying to guess sa password?
    ... and port 1433 will not be open. ... If someone can crash SQL Server by connecting to port 1433, ... You don't need multiple security experts. ...
    (microsoft.public.sqlserver.security)
  • Re: Getting to the bottom of MSDE network connection problems ...
    ... Brilliant, Nick, especially the explanation for local network user being ... authenticated as GUEST in WinXP SP2. ... > on a desktop OS like XP (meaning that, you can not compare SQL Server ... > again and selected the security tab. ...
    (microsoft.public.sqlserver.msde)
  • RE: Login failed for user (null).
    ... used at signon to authenticate in SQL Server. ... connect the remote SQL Server database), is there any other data accessing ... What's the security identity used to access the remote SQL Server, ... the worker process identity. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • [NT] SQL Extended Procedure Functions Contain Unchecked Buffers
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SQL Server 7.0 and 2000 provide extended stored procedures, ... Several of the Microsoft-provided extended stored procedures have been ... Exploiting the flaw could enable an attacker to either cause the SQL ...
    (Securiteam)