Secure .NET 1.1 Application From Users

Jan 20, 2006

Hi all.

I am developing an distributed VB.NET 1.1 application with a TripleDES capable socket layer for communication with my server app.

I need to secure the distributed app from the users within the organization I am developing it for (a franchise).

I do not wish to store any encryption keys in the source code as these would be obvious to any seasoned hacker through decompilation of my binaries (even with obfuscation). I have decided to use the windows DPAPI (under machine storage mode) to secure manually entered (at installation) encryption layer keys in the registry. The salt values for this DPAPI mode also need to be secured, as a disgruntled franchise owner may be the hacker (and hence would have admin privilege on the machine the software is installed on). Not as far fetched as you think !

This is the beginning of a vicious cycle. How do I secure and where do I store this salt value safely ? With it a hacker with admin privilige can easily decrypt my keys if they know I am using machine mode DPAPI. Can I use ACLs to protect the keys with an account I set up manually on the machine ? If so then I would need to be able to switch account identities in my code (which I haven't researched as yet) and then would need to store the password to that somewhere.

If anyone could offer any insight or direction it would be much appreciated.

View 11 Replies


ADVERTISEMENT

SQL 2012 :: Secure Login To Database For Web Users?

Feb 21, 2014

We build up a new website in .net mvc 4.0 on a w2012 server with MSSQL 2012 database.We use windows autentification and normal anonymous access through NT AUTHORITYIUSR who is also a login in the database.But we make extra login possibility for users who are registered and they can insert and modify data in some tables in the database. And I'am afraid of giving NT AUTHORITYIUSR insert and update for some column in tables.I think of set up a new login for the database. Run a new connection string on login and set up special permission for that extra user on the database, and let the user become a member of the ordinary user on the database.

View 0 Replies View Related

SQL Security :: How To Organize And Secure Database Users

Apr 21, 2015

Is there any way in which I could distinguish a group of Database users from the other users. Say for e.g. store the Database users hierarchically, etc. Adding a Prefix/Suffix to the user name as a distinguish-er will not work in my case. I want to restrict the deletion of these Database users. Even the login with sysadmin or serveradmin rights should not be able to DROP those Database users.

View 11 Replies View Related

DB Engine :: How Security Log Is Much Secure Than Application Log

Sep 17, 2015

SQL Server 2008 R2: How security log is much secure than application log?

View 3 Replies View Related

Secure SQL Server Remote Access From ISV Application

May 8, 2007

Hi guys



I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)



I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.



Have researched this a fair bit, but get somewhat lost amongst all the jargon.

View 6 Replies View Related

Can I Access SQL Login Users In ASP.Net Application

Sep 28, 2005

Hello All,

View 3 Replies View Related

See Application Users (View Server State) Within A Stored Procedure

Mar 17, 2008

Hello, i have a problem regarding stored procedures and view server state.

I have an application with a lot of stored procedures, one of them checks data of the connected users.
In SQL 2000 i had no problem getting this information, but in SQL server 2005 i do.

my stored procedure looks like this:


ALTER PROCEDURE [dba].[applsp_GetConnectionInfo]

(

@DBName varchar(100)

)

WITH EXECUTE AS OWNER AS

BEGIN

SET NOCOUNT ON



DECLARE @sCollationMaster VARCHAR(128);

DECLARE @sSqlString VARCHAR(900);



-- Determine collation from master database because collation from master and ultimo database may differ

SELECT @sCollationMaster = CAST(databasepropertyex('master', 'Collation') AS VARCHAR);



SET @sSqlString =

'SELECT max(status) AS Status, max(isnull(SCISUSENAME, ''ULTIMOLOGIN'')) AS Login

, MAX(Rtrim(Rtrim(convert(varchar(255), nt_domain)) + nt_username)) AS NTUser

, max(Rtrim(hostname)) AS Host, MAX(Rtrim(program_name)) AS Program

FROM master.dbo.sysprocesses JOIN dba.SCONNECTIONINFO on SCISPID = CAST(spid AS VARCHAR)

AND ( SCISUSENAME = ISNULL(loginame, '''') COLLATE ' + @sCollationMaster + ' OR ISNULL(loginame, '''') = ''ULTIMOLOGIN'')

WHERE ...... AND DB_NAME(dbid) = ''' + @DBName + '''

GROUP BY hostprocess

ORDER BY Login

';



EXEC(@sSqlString);

END

I've granted view server state permissions to my user 'dba' which is the db_owner.
When i execute the query in the stored procedure seperatly as dba i get all the info i need, but when i execute the stored procedure i don't see anything.

I seem to have the same problem with sp_who2
Executing it gives me information about everyone but when i put in a stored procedure like this:

alter procedure test

with execute as owner as

begin


EXEC sp_who2

end
I just see information about myself


View 5 Replies View Related

Can An Authorized User Like SA Create A Table Which The Owner Is Any Users Who Use The Application?

Aug 20, 2007

Hi,

autorized user: sa
any user : nuran
temporary table: birtablo

I need a stored procedure will execute by sa and it will create some required temporary tables for each users. For example table name is birtablo. I mean sa will create table for nuran, and when I checked the owner of the table (birtablo) I want to see nuran not dbo.
sa will execute following command:

create table nuran.birtablo (...........)

Is it possible to cerate a table by sa on behalf of any user? If it is, could you please explain?



Thanks

Nuran

View 5 Replies View Related

Schemas, Users, Logins, Database Roles, Application Roles

Mar 5, 2006

Hello,

I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.

Happy coding...

View 4 Replies View Related

Reporting Services :: Adding (new) Child Domain Users To SSRS As System Users?

Jul 28, 2015

We have an existing SSRS server, and have just created a new child domain. We'll be migrating users from the parent to the child, and want to add the users of that new domain with access to SSRS. In the parent domain they are able to access, but after migration with the child domain account, they cannot.

I have added the group CHILDDomain Users with a system user role on SSRS, and PARENTDomain Users was already there.

Is there any additional step I should/could take to get this active?

View 5 Replies View Related

Why Out Of The Blue Would VPN Users Be Unable To Connect To Database And Local Users Are Unaffected?

Mar 6, 2008

I have had this issue just pop up. I have local users who can connect fine, but my users that require connection by VPN cannot connect. I get the server not available or access denied error. I did confirm that the VPN'ers are connected to the network correctly and can see that their shares and mappings are correct. Any ideas? Thanking you all in advance!!

View 6 Replies View Related

SQL Security :: Did Not Create Any New Users And There Are No Other Users Listed In Accounts Section

Sep 28, 2015

I am trying to revert back to Windows 7 after upgrading to Windows 10, however it will not let me and the following message occurs: "Remove new accounts.Before you can go back to a previous version of Windows, you'll need to remove any user accounts you added after the most recent upgrade. The accounts need to be completely removed, including their profiles.You created one account (NT SERVICEMSSQLSERVER) Go to Settings> Accounts> Other users to remove these accounts and then try again".However I did not create any new users and there are no other users listed in the Accounts section.

View 2 Replies View Related

Stored Procedure To Get All Users Or All Users Of A Specific Country

Apr 30, 2008

hi alli've got two tables called "webusers" (id, name, fk_country) and "countries" (id, name)
at the meantime, i've a search-page where i can fill a form to search users. in the dropdown to select the country i included an option which is called "all countries".
now the problem is: how can i make a stored procedure that makes a restriction to the fk_country depending on the submitted fk_country parameter?it should be something like
SELECT * FROM webusers(if @fk_country > 0, which is the value for "all countries"){    WHERE fk_country = @fk_country}
who has an idea how to solve this problem?

View 9 Replies View Related

Difference Between Database -- &&> Users And Security --&&> Users

Nov 28, 2006

Hi Team,

In SQL Enterprise Manager, when we expand "Database -->Users", we see the

users there. When we expand "Security --> logins" we see the same users there.

Can you differentiate these two.

Thanks

Santhosh

View 1 Replies View Related

How To Secure Mdf

Sep 24, 2005

I am designing an application built on sql server 2000
how can I prohibit other sql server users from accessing my database and allowing only acceesing it through my application or through owner designer of sql server database.

my situation needs sometimes copying the db from the end user platforms to
my designer computer to analyze some problems or maintainenace or modification, and also I have no control on users windows environment and I need the end user professional not to enter the my db from outside my application.

So,
is there anything I can do to secure an MDF (MSDE/SQL Server 2000) file so that a user cannot see my schema under any circumstances.

Even if I lock the MDF down and secure the instance, a smart user can just shut off the SQL server, copy the MDF to another instance, sp_attachdb and open it with sa rights. I need a way to prevent others from getting inside my schema.

View 1 Replies View Related

Secure FTP

Apr 28, 2008

Hi,
Do you guys know how to call secure FTP from a script task in an SSIS package which can be done by invoking the exe like winscp from a script task

View 1 Replies View Related

Secure FTP

Apr 9, 2008

hi everybody ,
Can anybody tell me about Secure FTP
and how the code for uploading and downloading of files can be write using Visual C#
actually i have created code for Standad FTP(normal FTP), but when I am using it for secure FTP then the compiler is giving an Exception: "Unable to create Remote Server"
very confuse about what to do....??
even very small help would be very very appreciable
thanx .... Nics

View 9 Replies View Related

Distrib.exe Application Error , Application Failed To Initialize Properly(0xx0000142)

Apr 13, 2008

have SQL Server 2005 std edition SP1 installed on Windows 2003 Std edition .Configured Transactional (single Publisher and no clustered environment.)
Replication past two months working fine, Now
1.Distrib.exe application err is coming.

Due to which my job is failing (Distributor to Subscriber).
Iam attaching thw file.
Thanks
Sandeep

View 1 Replies View Related

How To Secure (.mdf And .ldf) DB Files?

Aug 9, 2004

Database files (.mdf and .ldf) could be copied and explored by attaching them to any other instance of sqlserver.
How we could secure those files as we can do for Access file using a password ?

Thanks for any comment.

skentafi

View 1 Replies View Related

How Can I Keep My DB Secure On SQL Server

Nov 11, 2005

hi
this is my 1st time on this forum, I need to keep my DB secure on SQL server, that no body can enter into my DB and couldnt see my tables and other elements of DB.

Regards
AHK

View 2 Replies View Related

Secure Dts Packages

Mar 21, 2006

i need to set up a sql server login that can query the database, but i don't want it to be able to see scheduled jobs or dts packages

actually if i could keep it out of enterprise manager altogether that would be great

how can i set this up?

View 1 Replies View Related

How Can I Secure My MDF File?

Jun 30, 2005

If a user is a local admin of the box they can gain full access to the database via integrated security. They can create their own database and attach .MDF
How can i secure the .MDF so that no one can gain access to it?

View 1 Replies View Related

How Secure Is Sql Ce Password?

Mar 5, 2008

I have developed an application that uses a SQL Server compact edition database (.sdf). The database contains important data that I do not wish people to access.

My question is if I choose to Encrypt the database using the option available when you create the database and specify a password how secure is it ?

Are there tools on the market that will be able to crack this password and therefore gain access ?

Thanks

View 1 Replies View Related

Is Installation Secure ?

Jul 20, 2005

We can find a lot of recommandations about how to secure a SQL*Server configuration.Does anyone have scripts to do it ?Any advices or links are welcome

View 2 Replies View Related

Secure Replication

Jul 20, 2005

How would I set up secure replication between 2 servers that are indifferent cities?Would I need to define linked servers first?Would I use SSL?Help appreciated. Thanks.Steve*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!

View 1 Replies View Related

How To Secure The Database

Jul 10, 2007

Hello...



I develop a .NET Application which uses a SQL Express Database. The application will be distributet to several customers. That means the customer must have (or install) SQL Server Express Edition .

But we dont want that the users manual access to the database.

As far as understand that is not possible because the user (customer) will be the administrator for the SQL Server Express because it runs in his own PC (no password security).

Am I right? Thank you..

View 1 Replies View Related

Possible To Secure Using .Net StrongNameIdentityPermission?

Oct 24, 2006

Is it possible to secure a SQL Server database or schema using a technique such as the .Net StrongNameIdentityPermission attribute? The intent is that SQL Server would only permit transactions coming from assemblies which were signed with a particular .Net StrongName private key.

We are installing a 3rd party SQL Server / ASP.Net application which must run in our DMZ and we are looking for all possible measures to secure the SQL Server database.

Thanks

View 1 Replies View Related

How Can I Secure My MDF File?

Jun 30, 2005

If a user is a local admin of the box they can gain full access to the database via integrated security. They can create their own database and attach .MDF

View 24 Replies View Related

How Can I Secure My Database??

Jun 16, 2007

hello all,

I've recently started using sql express 2005. I've used the features very conveniently.

But one thing i coudn't understand is how can i secure my database from unwanted access.

I've Installed Sql Express 2005 with mixed mode authentication (Sql authentication) and attached my Database. But it also connects with Windows authentication, and all my data tables are openly visible.!!

How can i Secure my database now..!!!

My intention is to restrict access to my databases only to certain users (may be SQL Logins)



Please guide me how to accomplish this...



Thanks

View 11 Replies View Related

List Users Then Disconnect Users

Jun 4, 2008

I want to be able to list all users connected/logged in a specific database and disconnect them all or a certain user.

can this be done in SQL and if so how?

View 1 Replies View Related

Users Get Blocked By Other Users Alot

Sep 26, 2007

We are using Navision with SQL server 2003.

What kind of methods is there out there to reduce hwo often this happens?

View 10 Replies View Related

Are Packets From .NET To SQL Server Secure?

Feb 20, 2004

When I'm getting data from sqlserver using ado.net and a sqldataadapter, are the resultant network traffic packets secure? If I wanted to deploy my objects at a remote site, would I still be safe going straight to my sql server from there or should I build a web service and then auto generate 'remote' versions of my objects that will then communicate to the web service on https?

thanks
pat

View 2 Replies View Related

Enterprise Manager - How Secure Is It?

Oct 30, 2004

I connect to my clients SQL databases via Enterprise Manager. Most of the time the SQL server resides at a web host. A colleague recently told me that this is a huge security hole and I should be using Remote Desktop instead.

I would appreciate other input, opinions, and guidance on this issue.

View 2 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved