Re: SP Permission Inheritance and Table Creation

From: Dan Guzman (danguzman_at_nospam-earthlink.net)
Date: 07/27/03

• Next message: Jay Graven: "windows authentication"
• Previous message: Giacomo: "Re: Unattended.iss"
• In reply to: Meir Simcha Kogan: "Re: SP Permission Inheritance and Table Creation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 27 Jul 2003 16:25:57 -0500

I understand your reluctance to hardcode passwords in your app as plain
text. IMHO, encryption is adequate for most applications but I'd no
expert about the vulnerabilities you describe. You might take a look at
'Building and Configuring More Secure Web Sites'
<http://msdn.microsoft.com/security/securecode/bestpractices/default.asp
x?pull=/library/en-us/dnnetsec/html/openhack.asp> to see if some of the
techniques address your concerns.

Another technique you might consider for your data refresh is to create
a reoccurring SQL Agent Job owned by a db_owner role member that
performs the task. The job could query a table to determine if a data
refresh request has been submitted and perform the load and rename, if
needed. Users wound only need permissions to execute a proc that
updates the request table.

-- 
Hope this helps.
Dan Guzman
SQL Server MVP
"Meir Simcha Kogan" <mkogan@chabadonline.com> wrote in message
news:O2JpDnHVDHA.2568@tk2msftngp13.phx.gbl...
> This helps a lot.. one question though....
>
> we went at all lengths to avoid hardcoding (or even storing it
externally
> encrypted) because we found that a slick user could read the memory
space on
> his computer and find the line that actually makes the connection. -- 
> therefore we limited all permissions to SPs which themselves enforce
> security.
>
> So what stops a user from 'sniffing' the app role password and then
> connecing on his own?
>
> Thanks
>
> -- 
> Meir Simcha Kogan
> Chabad.org Development Team

---

• Next message: Jay Graven: "windows authentication"
• Previous message: Giacomo: "Re: Unattended.iss"
• In reply to: Meir Simcha Kogan: "Re: SP Permission Inheritance and Table Creation"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Securing data to a process principal ... reasonable controls that protect against "casual" abuse. ... hooks into your encryption function) and you cannot prevent an admin using ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ... (microsoft.public.platformsdk.security) Re: Securing data to a process principal ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ... can use a login context of the app ID itself as the encryption key as I've ... application should be able to decrypt data on another computer. ... (microsoft.public.platformsdk.security) Re: Securing data to a process principal ... Yes, you can protect against ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ... encryption would be done with a key that was associated with the app ID. ... (microsoft.public.platformsdk.security) Re: Securing data to a process principal ... reasonable controls that protect against "casual" abuse. ... hooks into your encryption function) and you cannot prevent an admin using ... The RM analyst also uses an app that has an embedded obfuscated key (I'll ... where the secret is stored in the registry. ... (microsoft.public.platformsdk.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)