How to protect db from being accessed by unauthorized applications
From: Karsten Beck (Karsten.Beck_at_foto-beck.de)
Date: 01/22/04
- Previous message: Piedmont: "Re: Error 17055"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 22 Jan 2004 22:05:48 +0100
I have an insteresting problem:
I want to protect an SQL Server database from being accessed by any other
application than my own. The reason is that I want to add additional
security based on actual data in the database, i.e. the user should not read
data with a specific content. In my opinion, that can only be solved by
building this into the application.
I know I can use my own application identity to log on. Just create an SQL
Server user "MyApplication" and a secret password that only the application
knows. But this is not secure enough because anyone can get the password by
sniffing the logon API calls.
The other way may be using Windows security. Create a Windows user
"MyApplication", call LogonUser and set the current user of my application
to this user. Create the same user on the SQL Server. Logon to SQL Server by
using Windows security (no password necessary when logging onto SQL
Server) - Same problem: An attacker can get the password by sniffing the
LogonUser API call.
Additionally, there is no way to audit user actions any more when using
application identity.
Did anyone solve a similar problem? Any suggestions will be appreciated...
Karsten
- Previous message: Piedmont: "Re: Error 17055"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
