Secure .NET 1.1 Application From Users
Jan 20, 2006
Hi all.
I am developing an distributed VB.NET 1.1 application with a TripleDES capable socket layer for communication with my server app.
I need to secure the distributed app from the users within the organization I am developing it for (a franchise).
I do not wish to store any encryption keys in the source code as these would be obvious to any seasoned hacker through decompilation of my binaries (even with obfuscation). I have decided to use the windows DPAPI (under machine storage mode) to secure manually entered (at installation) encryption layer keys in the registry. The salt values for this DPAPI mode also need to be secured, as a disgruntled franchise owner may be the hacker (and hence would have admin privilege on the machine the software is installed on). Not as far fetched as you think !
This is the beginning of a vicious cycle. How do I secure and where do I store this salt value safely ? With it a hacker with admin privilige can easily decrypt my keys if they know I am using machine mode DPAPI. Can I use ACLs to protect the keys with an account I set up manually on the machine ? If so then I would need to be able to switch account identities in my code (which I haven't researched as yet) and then would need to store the password to that somewhere.
If anyone could offer any insight or direction it would be much appreciated.
View 11 Replies
ADVERTISEMENT
Feb 21, 2014
We build up a new website in .net mvc 4.0 on a w2012 server with MSSQL 2012 database.We use windows autentification and normal anonymous access through NT AUTHORITYIUSR who is also a login in the database.But we make extra login possibility for users who are registered and they can insert and modify data in some tables in the database. And I'am afraid of giving NT AUTHORITYIUSR insert and update for some column in tables.I think of set up a new login for the database. Run a new connection string on login and set up special permission for that extra user on the database, and let the user become a member of the ordinary user on the database.
View 0 Replies
View Related
Apr 21, 2015
Is there any way in which I could distinguish a group of Database users from the other users. Say for e.g. store the Database users hierarchically, etc. Adding a Prefix/Suffix to the user name as a distinguish-er will not work in my case. I want to restrict the deletion of these Database users. Even the login with sysadmin or serveradmin rights should not be able to DROP those Database users.
View 11 Replies
View Related
Sep 17, 2015
SQL Server 2008 R2: How security log is much secure than application log?
View 3 Replies
View Related
May 8, 2007
Hi guys
I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)
I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.
Have researched this a fair bit, but get somewhat lost amongst all the jargon.
View 6 Replies
View Related
Mar 17, 2008
Hello, i have a problem regarding stored procedures and view server state.
I have an application with a lot of stored procedures, one of them checks data of the connected users.
In SQL 2000 i had no problem getting this information, but in SQL server 2005 i do.
my stored procedure looks like this:
ALTER PROCEDURE [dba].[applsp_GetConnectionInfo]
(
@DBName varchar(100)
)
WITH EXECUTE AS OWNER AS
BEGIN
SET NOCOUNT ON
DECLARE @sCollationMaster VARCHAR(128);
DECLARE @sSqlString VARCHAR(900);
-- Determine collation from master database because collation from master and ultimo database may differ
SELECT @sCollationMaster = CAST(databasepropertyex('master', 'Collation') AS VARCHAR);
SET @sSqlString =
'SELECT max(status) AS Status, max(isnull(SCISUSENAME, ''ULTIMOLOGIN'')) AS Login
, MAX(Rtrim(Rtrim(convert(varchar(255), nt_domain)) + nt_username)) AS NTUser
, max(Rtrim(hostname)) AS Host, MAX(Rtrim(program_name)) AS Program
FROM master.dbo.sysprocesses JOIN dba.SCONNECTIONINFO on SCISPID = CAST(spid AS VARCHAR)
AND ( SCISUSENAME = ISNULL(loginame, '''') COLLATE ' + @sCollationMaster + ' OR ISNULL(loginame, '''') = ''ULTIMOLOGIN'')
WHERE ...... AND DB_NAME(dbid) = ''' + @DBName + '''
GROUP BY hostprocess
ORDER BY Login
';
EXEC(@sSqlString);
END
I've granted view server state permissions to my user 'dba' which is the db_owner.
When i execute the query in the stored procedure seperatly as dba i get all the info i need, but when i execute the stored procedure i don't see anything.
I seem to have the same problem with sp_who2
Executing it gives me information about everyone but when i put in a stored procedure like this:
alter procedure test
with execute as owner as
begin
EXEC sp_who2
end
I just see information about myself
View 5 Replies
View Related
Aug 20, 2007
Hi,
autorized user: sa
any user : nuran
temporary table: birtablo
I need a stored procedure will execute by sa and it will create some required temporary tables for each users. For example table name is birtablo. I mean sa will create table for nuran, and when I checked the owner of the table (birtablo) I want to see nuran not dbo.
sa will execute following command:
create table nuran.birtablo (...........)
Is it possible to cerate a table by sa on behalf of any user? If it is, could you please explain?
Thanks
Nuran
View 5 Replies
View Related
Mar 5, 2006
Hello,
I am new user of SQL Server. I have some problems with these words. I want to make my database works in my specified permissions. I will specify permissions with schemas and these schema wants an owner. I want this owner should be my user. When creating a user it needs a valid login. I am selecting my login and it occurs and error says this login has an different user. I am specifying permissions with roles. But i can't make association all of them. I hope i told my problem to you as well. If you explain these words to me and tell me how can i do my database's works with my own schemas, users and roles i'll be grateful. Thanks for advices.
Happy coding...
View 4 Replies
View Related
Jul 28, 2015
We have an existing SSRS server, and have just created a new child domain. We'll be migrating users from the parent to the child, and want to add the users of that new domain with access to SSRS. In the parent domain they are able to access, but after migration with the child domain account, they cannot.
I have added the group CHILDDomain Users with a system user role on SSRS, and PARENTDomain Users was already there.
Is there any additional step I should/could take to get this active?
View 5 Replies
View Related
Mar 6, 2008
I have had this issue just pop up. I have local users who can connect fine, but my users that require connection by VPN cannot connect. I get the server not available or access denied error. I did confirm that the VPN'ers are connected to the network correctly and can see that their shares and mappings are correct. Any ideas? Thanking you all in advance!!
View 6 Replies
View Related
Sep 28, 2015
I am trying to revert back to Windows 7 after upgrading to Windows 10, however it will not let me and the following message occurs: "Remove new accounts.Before you can go back to a previous version of Windows, you'll need to remove any user accounts you added after the most recent upgrade. The accounts need to be completely removed, including their profiles.You created one account (NT SERVICEMSSQLSERVER) Go to Settings> Accounts> Other users to remove these accounts and then try again".However I did not create any new users and there are no other users listed in the Accounts section.
View 2 Replies
View Related
Apr 30, 2008
hi alli've got two tables called "webusers" (id, name, fk_country) and "countries" (id, name)
at the meantime, i've a search-page where i can fill a form to search users. in the dropdown to select the country i included an option which is called "all countries".
now the problem is: how can i make a stored procedure that makes a restriction to the fk_country depending on the submitted fk_country parameter?it should be something like
SELECT * FROM webusers(if @fk_country > 0, which is the value for "all countries"){ WHERE fk_country = @fk_country}
who has an idea how to solve this problem?
View 9 Replies
View Related
Nov 28, 2006
Hi Team,
In SQL Enterprise Manager, when we expand "Database -->Users", we see the
users there. When we expand "Security --> logins" we see the same users there.
Can you differentiate these two.
Thanks
Santhosh
View 1 Replies
View Related
Sep 24, 2005
I am designing an application built on sql server 2000
how can I prohibit other sql server users from accessing my database and allowing only acceesing it through my application or through owner designer of sql server database.
my situation needs sometimes copying the db from the end user platforms to
my designer computer to analyze some problems or maintainenace or modification, and also I have no control on users windows environment and I need the end user professional not to enter the my db from outside my application.
So,
is there anything I can do to secure an MDF (MSDE/SQL Server 2000) file so that a user cannot see my schema under any circumstances.
Even if I lock the MDF down and secure the instance, a smart user can just shut off the SQL server, copy the MDF to another instance, sp_attachdb and open it with sa rights. I need a way to prevent others from getting inside my schema.
View 1 Replies
View Related
Apr 28, 2008
Hi,
Do you guys know how to call secure FTP from a script task in an SSIS package which can be done by invoking the exe like winscp from a script task
View 1 Replies
View Related
Apr 9, 2008
hi everybody ,
Can anybody tell me about Secure FTP
and how the code for uploading and downloading of files can be write using Visual C#
actually i have created code for Standad FTP(normal FTP), but when I am using it for secure FTP then the compiler is giving an Exception: "Unable to create Remote Server"
very confuse about what to do....??
even very small help would be very very appreciable
thanx .... Nics
View 9 Replies
View Related
Apr 13, 2008
have SQL Server 2005 std edition SP1 installed on Windows 2003 Std edition .Configured Transactional (single Publisher and no clustered environment.)
Replication past two months working fine, Now
1.Distrib.exe application err is coming.
Due to which my job is failing (Distributor to Subscriber).
Iam attaching thw file.
Thanks
Sandeep
View 1 Replies
View Related
Aug 9, 2004
Database files (.mdf and .ldf) could be copied and explored by attaching them to any other instance of sqlserver.
How we could secure those files as we can do for Access file using a password ?
Thanks for any comment.
skentafi
View 1 Replies
View Related
Nov 11, 2005
hi
this is my 1st time on this forum, I need to keep my DB secure on SQL server, that no body can enter into my DB and couldnt see my tables and other elements of DB.
Regards
AHK
View 2 Replies
View Related
Mar 21, 2006
i need to set up a sql server login that can query the database, but i don't want it to be able to see scheduled jobs or dts packages
actually if i could keep it out of enterprise manager altogether that would be great
how can i set this up?
View 1 Replies
View Related
Jun 30, 2005
If a user is a local admin of the box they can gain full access to the database via integrated security. They can create their own database and attach .MDF
How can i secure the .MDF so that no one can gain access to it?
View 1 Replies
View Related
Mar 5, 2008
I have developed an application that uses a SQL Server compact edition database (.sdf). The database contains important data that I do not wish people to access.
My question is if I choose to Encrypt the database using the option available when you create the database and specify a password how secure is it ?
Are there tools on the market that will be able to crack this password and therefore gain access ?
Thanks
View 1 Replies
View Related
Jul 20, 2005
We can find a lot of recommandations about how to secure a SQL*Server configuration.Does anyone have scripts to do it ?Any advices or links are welcome
View 2 Replies
View Related
Jul 20, 2005
How would I set up secure replication between 2 servers that are indifferent cities?Would I need to define linked servers first?Would I use SSL?Help appreciated. Thanks.Steve*** Sent via Developersdex http://www.developersdex.com ***Don't just participate in USENET...get rewarded for it!
View 1 Replies
View Related
Jul 10, 2007
Hello...
I develop a .NET Application which uses a SQL Express Database. The application will be distributet to several customers. That means the customer must have (or install) SQL Server Express Edition .
But we dont want that the users manual access to the database.
As far as understand that is not possible because the user (customer) will be the administrator for the SQL Server Express because it runs in his own PC (no password security).
Am I right? Thank you..
View 1 Replies
View Related
Oct 24, 2006
Is it possible to secure a SQL Server database or schema using a technique such as the .Net StrongNameIdentityPermission attribute? The intent is that SQL Server would only permit transactions coming from assemblies which were signed with a particular .Net StrongName private key.
We are installing a 3rd party SQL Server / ASP.Net application which must run in our DMZ and we are looking for all possible measures to secure the SQL Server database.
Thanks
View 1 Replies
View Related
Jun 30, 2005
If a user is a local admin of the box they can gain full access to the database via integrated security. They can create their own database and attach .MDF
View 24 Replies
View Related
Jun 16, 2007
hello all,
I've recently started using sql express 2005. I've used the features very conveniently.
But one thing i coudn't understand is how can i secure my database from unwanted access.
I've Installed Sql Express 2005 with mixed mode authentication (Sql authentication) and attached my Database. But it also connects with Windows authentication, and all my data tables are openly visible.!!
How can i Secure my database now..!!!
My intention is to restrict access to my databases only to certain users (may be SQL Logins)
Please guide me how to accomplish this...
Thanks
View 11 Replies
View Related
Jun 4, 2008
I want to be able to list all users connected/logged in a specific database and disconnect them all or a certain user.
can this be done in SQL and if so how?
View 1 Replies
View Related
Sep 26, 2007
We are using Navision with SQL server 2003.
What kind of methods is there out there to reduce hwo often this happens?
View 10 Replies
View Related
Feb 20, 2004
When I'm getting data from sqlserver using ado.net and a sqldataadapter, are the resultant network traffic packets secure? If I wanted to deploy my objects at a remote site, would I still be safe going straight to my sql server from there or should I build a web service and then auto generate 'remote' versions of my objects that will then communicate to the web service on https?
thanks
pat
View 2 Replies
View Related
Oct 30, 2004
I connect to my clients SQL databases via Enterprise Manager. Most of the time the SQL server resides at a web host. A colleague recently told me that this is a huge security hole and I should be using Remote Desktop instead.
I would appreciate other input, opinions, and guidance on this issue.
View 2 Replies
View Related