Re: The SA Mess
From: Mike Epprecht \(SQL MVP\) (mike_at_epprecht.net)
Date: 03/18/05
- Previous message: Russell Stevens: "Re: The SA Mess"
- In reply to: Russell Stevens: "Re: The SA Mess"
- Next in thread: Russell Stevens: "Re: The SA Mess"
- Reply: Russell Stevens: "Re: The SA Mess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Mar 2005 00:54:15 +0100
Hi
If the DB password is hard coded in your application, any 1/2 geek with 3
minutes of access to the .EXE will figure out the password.
TDS is a known transport protocol. Sniffing what is going up and down the
wire is easy enough as it is not encrypted. Seriously, look at a middle
tier, and use something like HTTPS and web services to supply functionality
to your application.
If there is any personal information going up and down the wire, un-secured
and un-encrypted, you could fall foul of Privacy Legislation in many
countries. With the Internet, a user could be Europe.
Regards
--------------------------------
Mike Epprecht, Microsoft SQL Server MVP
Zurich, Switzerland
IM: mike@epprecht.net
MVP Program: http://www.microsoft.com/mvp
Blog: http://www.msmvps.com/epprecht/
"Russell Stevens" <rustyprogrammer@online.nospam> wrote in message
news:OAadjl0KFHA.4092@TK2MSFTNGP10.phx.gbl...
> Ross,
>
> <<On the other hand, to me, opening up the SQL Server port to the Internet
> for all comers seems downright suicidal.>>
>
> I have done this for many years - I am still alive <g> - never really
had
> a problem with the occassional hacker trying to get in. It is just
recently
> when the volume has gone up noticeably.
>
> <<For example, if 100 of your
> users are in the same company, you could issue one "access the app"
account
> to that company and let them share it. Taking a step further, I get the
> impression that you are distributing a desktop app which is going to
access
> the database -- you could have the app do the login for the user (open up
a
> HTTP connection). You could even get the app to retrieve a
> username/password from a web page, then use it to log in to the firewall
> ... but this starts to sound kludgy, like something *I* might set up.>>
>
> The windows app has a password to access the SQL db. Each user has a
> password stored in the db that allows them to run the Windows app. So
> basically now I just need to manage one password per database - the
customer
> can then add users and assign their own passwords for running the Windows
> app (a license allows them x users). The users do not know the db
password.
> If users need to enter a password to get access to the db (whether via a
web
> page or some more stuff in the Windows app) then that password would be
> pretty public <g>.
>
> I need to learn more about how to program one of these firewalls - perhaps
> the Windows app can send a password to the firewall, then the firewall
could
> open the port for just that IP. I did visit the web pages of the two
> firewalls you mentioned - not enough info there to figure out the
mechanics
> of actually doing something like this.
>
> Of course, I would be perfectly happy with a Microsoft solution where SQL
> Server would not allow constant unsuccessful sa login attempts (or
constant
> login attempts for any login) - in my opinion that is just not the correct
> design. Microsoft could easily fix that (and I think they have for SQL
> 2005).
>
> Thanks
> Russ Stevens
>
>
- Previous message: Russell Stevens: "Re: The SA Mess"
- In reply to: Russell Stevens: "Re: The SA Mess"
- Next in thread: Russell Stevens: "Re: The SA Mess"
- Reply: Russell Stevens: "Re: The SA Mess"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
