Re: managing application role passwords without hard-coding them into applications

From: Russell Fields (rlfields@sprynet.com)
Date: 08/20/02

• Next message: Russell Fields: "Re: Connect AS/400 with SQL Sever"
• Previous message: hiro: "Re: MS02-042 patch contains wrong files"
• In reply to: E Byrne: "managing application role passwords without hard-coding them into applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Russell Fields" <rlfields@sprynet.com>
Date: Tue, 20 Aug 2002 10:25:55 -0400

E,

You would have to give everyone who has access to this role rights to select
from the table that contains the encrypted password. This would allow the
app, authenticating as the person, to select the password. It would then
internally decrypt the password then switch to the application role.

Russell Fields
"E Byrne" <savant42@hotmail.com> wrote in message
news:3c7901c24816$d68c1420$9de62ecf@tkmsftngxs01...
> the following is from SQL Server 7 Books on line:
>
> There are several options for managing application role
> passwords without hard-coding them into applications. For
> example, an encrypted key stored in the registry (or the
> SQL Server database), for which only the application has
> the decryption code, can be used. The application reads
> the key, decrypts it, and uses the value to set the
> application role. Using the Multiprotocol Net-Library, the
> network packet containing the password can also be
> encrypted. Additionally, the password can be encrypted,
> before being sent to SQL Server, when the role is
> activated.
>
> My question is how would i retrieve the key from a SQL
> Server DB (as stated above)?
> this suits all my requirements of restricting user access,
> preventing them from running adhoc queries via query
> analyser, MS Access etc and would prevent the login info
> being hard coded into the app (ie preventing developers
> access to data)
>
> Any one know how to achieve this ?
>
> Thanks in advance for your help
>
> E
>
>
>

---

• Next message: Russell Fields: "Re: Connect AS/400 with SQL Sever"
• Previous message: hiro: "Re: MS02-042 patch contains wrong files"
• In reply to: E Byrne: "managing application role passwords without hard-coding them into applications"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SQL Server 2000 / 2005 Encryption ... to encrypt your SSL connections will be different. ... SQL Server can generate its own self-signed certificates though, and that should make the SSL encryption/connectivity easier for you. ... Excel does not know how to decrypt data stored in SQL Server 2005 in encrypted form. ... (microsoft.public.sqlserver.security) Re: Encrypting & Decrypting ... > now i have learnt how to decrypt form google. ... >>Object encryption in sql server is really more object ... >>>>Mark Broadbent mcse+i, mcdba ... (microsoft.public.sqlserver.security) Re: Decryption of SQL Server Login pwd ... You are not supposed to be able to decrypt it. ... Hal Berenson, SQL Server MVP ... True Mountain Group LLC ... "Hartono" wrote in message ... (microsoft.public.sqlserver.security) Re: Decrypt Stored Proc ... ... SQL Server doesn't provide any built-in mechanism to decrypt encrypted ... stored procedures. ... tools/code to decrypt the encrypted procedures. ... (microsoft.public.sqlserver.programming) Re: Performance issue after coverting from Framework 1.1 to 2.0 ... I think that I encountered the same problem: A large program with Framework ... the SQL Server for the dev database. ... when you deploy the app on a different machine where the SQL Server is no ... app was fine on the dev machine. ... (microsoft.public.dotnet.framework.performance)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)