Re: The SA Mess

From: Mike Epprecht \(SQL MVP\) (mike_at_epprecht.net)
Date: 03/18/05

  • Next message: Russell Stevens: "Re: The SA Mess"
    Date: Fri, 18 Mar 2005 00:54:15 +0100
    
    

    Hi

    If the DB password is hard coded in your application, any 1/2 geek with 3
    minutes of access to the .EXE will figure out the password.

    TDS is a known transport protocol. Sniffing what is going up and down the
    wire is easy enough as it is not encrypted. Seriously, look at a middle
    tier, and use something like HTTPS and web services to supply functionality
    to your application.

    If there is any personal information going up and down the wire, un-secured
    and un-encrypted, you could fall foul of Privacy Legislation in many
    countries. With the Internet, a user could be Europe.

    Regards
    --------------------------------
    Mike Epprecht, Microsoft SQL Server MVP
    Zurich, Switzerland

    IM: mike@epprecht.net

    MVP Program: http://www.microsoft.com/mvp

    Blog: http://www.msmvps.com/epprecht/

    "Russell Stevens" <rustyprogrammer@online.nospam> wrote in message
    news:OAadjl0KFHA.4092@TK2MSFTNGP10.phx.gbl...
    > Ross,
    >
    > <<On the other hand, to me, opening up the SQL Server port to the Internet
    > for all comers seems downright suicidal.>>
    >
    > I have done this for many years - I am still alive <g> - never really
    had
    > a problem with the occassional hacker trying to get in. It is just
    recently
    > when the volume has gone up noticeably.
    >
    > <<For example, if 100 of your
    > users are in the same company, you could issue one "access the app"
    account
    > to that company and let them share it. Taking a step further, I get the
    > impression that you are distributing a desktop app which is going to
    access
    > the database -- you could have the app do the login for the user (open up
    a
    > HTTP connection). You could even get the app to retrieve a
    > username/password from a web page, then use it to log in to the firewall
    > ... but this starts to sound kludgy, like something *I* might set up.>>
    >
    > The windows app has a password to access the SQL db. Each user has a
    > password stored in the db that allows them to run the Windows app. So
    > basically now I just need to manage one password per database - the
    customer
    > can then add users and assign their own passwords for running the Windows
    > app (a license allows them x users). The users do not know the db
    password.
    > If users need to enter a password to get access to the db (whether via a
    web
    > page or some more stuff in the Windows app) then that password would be
    > pretty public <g>.
    >
    > I need to learn more about how to program one of these firewalls - perhaps
    > the Windows app can send a password to the firewall, then the firewall
    could
    > open the port for just that IP. I did visit the web pages of the two
    > firewalls you mentioned - not enough info there to figure out the
    mechanics
    > of actually doing something like this.
    >
    > Of course, I would be perfectly happy with a Microsoft solution where SQL
    > Server would not allow constant unsuccessful sa login attempts (or
    constant
    > login attempts for any login) - in my opinion that is just not the correct
    > design. Microsoft could easily fix that (and I think they have for SQL
    > 2005).
    >
    > Thanks
    > Russ Stevens
    >
    >


  • Next message: Russell Stevens: "Re: The SA Mess"

    Relevant Pages

    • Re: The SA Mess
      ... users are in the same company, you could issue one "access the app" account ... The windows app has a password to access the SQL db. ... the Windows app can send a password to the firewall, ...
      (microsoft.public.sqlserver.security)
    • Re: Boot sequence?
      ... one would need to login first so that a service (Windows App) could ... > As soon as the TCP driver is up. ... >> When a Microsoft Operating System is booting up. ...
      (microsoft.public.win32.programmer.networks)
    • Re: Can not run application on client computers unless I login as
      ... offers excellent remote support but they don't plan to have a windows app in ... the immeditate future that I know of. ... application when I login as administrator on each station. ...
      (microsoft.public.windows.server.sbs)
    • Re: Accessing Mobile SQL databases in VB2005. Do you need SQL Mgt. Stu
      ... reference to Microsoft SQL Mobile. ... You should be aware that access to a SQL Mobile database from a Windows app ... > An error has occurred while establishing a connection to the server. ...
      (microsoft.public.pocketpc.developer)
    • Re: modify the keyboard queue
      ... Mini-Tools Timm wrote: ... I have a windows app that should login to another application when ... pressing a login button. ... It's not possible to modify the keyboard queue per se. ...
      (microsoft.public.dotnet.framework)