Secure SQL Server Remote Access From ISV Application
May 8, 2007
Hi guys
I'm writing a C# application which connects to a local SQL database for data access. The application connects to SQL Server through windows authentication, but opens up the port and sqlbrowser to others on the network wanting to access the database through SQL Server authentication, and also allows remote users to connect to this server remotely if they have the login and password (and because the port is already open)
I understand this is not secure and open to attack, and am unsure of how to secure these processes without blocking these three types of access, from A.) the local user, B.) the network user and C.) the remote user across the net.
Have researched this a fair bit, but get somewhat lost amongst all the jargon.
I've been provided with a server at a hosting company. The server is running W2K3 SP2 in its own workgroup (i.e., non-AD) configuration, but is not behind any type of hardware firewall; there is no VPN in place, either. I connect to the server via RDP using an extremely long and complex password. I'm using the newest version of the RDP client. The article "Hacking RDP" and the ensuing reader comments (http://mcpmag.com/columns/article.asp?EditorialsID=1699) indicate that using RDP in this fashion is relatively safe.
I installed SQL Server 2005 SP2 on this server. I set server authentication to 'SQL Server and Windows Authentication mode'. I created one obscure SQL Server login, using another extremely long and complex password. I also disabled the login for the 'sa' account.
Since installing SQL Server on this server, I've noticed thousands of Failure Audit events in the server's Application log:
Source: MSSQLSERVER
Description: Login failed for user X
where X equals 'administrator', 'root', 'server', 'database' 'sql', 'sa', etc.
These failure events occur almost non-stop, about a dozen per second, and come from a small pool of unknown IP addresses. The IP address seems to change every few hours. I'm guessing that someone is hoping that one of these names is an actual SQL Server login and is trying a brute-force attack to try to stumble upon a matching password. None of these logins are valid, but it's still disconcerting. Is this anything to be concerned about? I could have the hosting company block the IP addresses, but that seems like a losing battle.
Lastly, I used the Surface Area Configuration tool to allow local and remote connections, using TCP/IP only--so that I could begin interacting with this SQL Server from my PC, using both SQL Server Management Studio and my own Visual Studio code. For each method, I'm using the obscure SQL Server login that I created earlier--the one with the extremely long and complex password. How (un)secure is my traffic to/from this SQL Server? I don't believe that my credentials are encrypted, but I'm not sure how much of a risk this is nor do I know how else to more securely connect to SQL Server.
Given these circumstances, is there any way to make this resource more secure? Thanks!
I am trying to get my hosting company to provide a way to make secure encrypted connections from my desktop (where I am using Enterprise Manager and Aqua Data Studio) to their shared MS SQL Server.
I've seen some references to SSH, but I don't understand how this works or how the host would implement it. I also read that an SSL certificate can be installed on SQL Server, but it doesn't seem as if EM or ADS can make SSL connections to SQL Server. (In case it makes any difference for either of these solutions, the hosting company has port 1433 open, and will not close it because some clients connect to the DB server from web apps on their own intranets.)
Finally, if a web-based admin is used instead (like phpMyAdmin for MySQL), then which machine is the software installed on? Can it be on a web server that makes a local connection to the DB server or does it have to be on the DB machine? E.g., if I had a VPS or dedicated server at the same hosting company would I be able to install web-based admin software which would then connect to the host's shared SQL Server?
Anyway, my host is giving incomprehensible (to me) objections to all of these ideas. Is there a reasonably simple way to do this on a shared DB server?
I have a windows based software application that connects remotely to a sql server 2005 and calls stored procedures. There is someone that I work with that is cautioning the company strongly that this is a bad thing to do in terms of security. Isn't this a very common thing to do? Assuming that the SQL Server installation is setup appropriately. Is this a bad practice?
SQL Database in my application with windows authentication rejects accessing after deploying and remote access 1- My web applications databese access is windows authentication 2- In developing area there is no problem for accessing database 3- After deploying to another server there is problem accessing database: Cannot open user default database. Login failed.Login failed for user 'BRCK231ASPNET'. How can I solve this problem? Thanks.
I am developing an distributed VB.NET 1.1 application with a TripleDES capable socket layer for communication with my server app.
I need to secure the distributed app from the users within the organization I am developing it for (a franchise).
I do not wish to store any encryption keys in the source code as these would be obvious to any seasoned hacker through decompilation of my binaries (even with obfuscation). I have decided to use the windows DPAPI (under machine storage mode) to secure manually entered (at installation) encryption layer keys in the registry. The salt values for this DPAPI mode also need to be secured, as a disgruntled franchise owner may be the hacker (and hence would have admin privilege on the machine the software is installed on). Not as far fetched as you think !
This is the beginning of a vicious cycle. How do I secure and where do I store this salt value safely ? With it a hacker with admin privilige can easily decrypt my keys if they know I am using machine mode DPAPI. Can I use ACLs to protect the keys with an account I set up manually on the machine ? If so then I would need to be able to switch account identities in my code (which I haven't researched as yet) and then would need to store the password to that somewhere.
If anyone could offer any insight or direction it would be much appreciated.
- When I disable "allow remote connections to this server" from server properties>connection page, I can still remotely connect to the server from SSMS...so what is the impact of enable/disabling it?
- what is the impact of changing the remote query timeout (on the same page) from default value?
An ASP.NET website hosting service allows the use of Enterprize Manager to manage the backend database of a hosted asp.net website. This is not done across a VPN and I don't think it could be done on SSL so the question is : How Secure is that? would this be ok for learning but not Ecommerce? Or is it an encrypted session and I paranoid?
Let me start off by saying I'm not a SQL expert and have very limited knowledge on the topic.Here is my question:Our organization has an archiving solution that stores data in a SQL database. This applicaton creates two SQL accounts. One that is used to archive to the database. The second to browse the database from a search interface provided by the application. With all the federal compliance issues I see that they require the data to be stored in "a non-rewriteable and non-erasable format". My question is. How can I prevent the database from being erased in the SQL database? As 'Administrator' I can open Enterprise Manager and open a table in the database and simply delete any record that I wish. I understand that might have this ability because I'm logged on as Administrator. How do I prevent access to this database and prevent access modify the records. I believe the only two accounts that should have access to the database are the Archive and Browse accounts required by the application.
I am developing a windows application that needs to communicate with a remote SQL server 2005 database. Server allows remote connections and MSDTC service also running. Do I need to run MSDTC service on the client machine where I use desktop application ? any ideas ? It's throwing some error like An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections.
But my SQL Server allows remote connection, and I am able to do a select statement. But when I insert/update anything, it's throwing this error. I guess some problem with MSDCT. Anybody have any idea ?
I'moving my asp application to a new hosting server.
So when i tried the setup locally with the live DB & application in my test machine... The DB access is denied when application tries to hit the DB.
DB is in seperate machine with SQL Server 2000 & application(ASP) is in Windows server 2003..... Kindly help me with your suggestions....on what went wrong?
[XXXXX] Connecting to remote server XXXXX failed with the following error message : WinRM cannot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the network, and that a firewall exception for the WinRM service is enabled and allows access from this computer. By default, the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet.
Dear netters,We are looking to build a SQL Server database that will be hooked up toa Web server (WebLogic or a .NET).The database will house data for multiple customers, and therequirement is to have no customer see other customer data. Web serverwill be responsible for authenticating users (ids and passwords will bemaintained there/possibly stored in the database, but will not beactual database logins) -- and establishing pooled connections to thedatabase, using some sort of a proxy login.Ideally, we do not want to have the database itself visible to "theworld", it should reside behind a firewall, and be accessible throughthe Web server, which will do all authentication and routing.We want to have either tables or views defined in such a way that:1. Users can only see their own data and NEVER can see anybody else's.2. Users' access to the database is logged (this includes updates aswell as queries).3. We would like to provide some sort of a reporting mechanism -- whereusers can form their own queries. So, something like a Crystal or anAccess front end, that users are typically familiar with... The problemis that this requires users having direct access to the database (?),and opens up tables (unless, there is a way to create parameterizedviews that will always restrict access to a subset of records).Any advice on how to best implement this is greatly appreciated.Thank you in advance!
Ok, I need to give some details. I have a secure Access Database using WorkGroup Security logon. It is an Access 97 database (yes I know it is "old").
I tried to create a DTS package in SQL Server 2000 to connect to it, but I am getting the same error that I got before I "joined" the workgroup when attempting to access the DB. So I changed the Service logon identites to mimic <me> as the logon, and still I can't get it to connect. The user name and password I put in the connection are correct.
It seems like nothing is working and I am all out of ideas. Does anyone have any recommendations? Has anyone done anything like this successfully?
PS: I can manually logon to the database, and extract the data 1 table at a time, but I don't want to export 40 tables each time I have to load this data. Any help would be appreciated. Thanks in advance.
SQL Server 2000 DTS Package Need to access a secure website which displays a list of available files for download. Firstly need to read that page to determine the most recent file. There is a view link to the file which uses java script to post back information for file download.
Not sure if I'm posting to the right group or not, pls tell me where else to post.
My question is: I have a microsoft access database on a client desktop that links to tables in sql server. Is there a way to encrypt the data that goes back and forth between access and sql?
Hi, Can anyone tell me how i can access an application or open tables in MS sql server that are in MS Access. Its urgent and any help will be appriaciated.
Hello all, We have a SQL database that uses a MS Access projectfront-end, which I am now creating an ASP.Net application for (And am completely new to so may be missing some foundation concepts). With the Access project I added Active Directory groups to the database to use for permissions, logins, etc. For the ASP app I have it set to use Forms authentication with Active Directory (ActiveDirectoryMembershipProvider). I can login to the app with the AD usernames/passwords but the connection from ASP.Net to SQL is using the ASP User. Is there a way to provide the authentication from the ActiveDirectoryMembership through to the SQL server, so the user: bobuser would be authenticated to SQL instead of ASPNETUSER?Or do I need to have the ASP.net app handle the permissions of which SP's a user can execute?Any help or suggestions are appreciated.Thanks,Jamie.
I have recently transfered data from MS Access to MS SQL Server 2000 and created user interface in MS Access Project (ADP). Now I need to secure the data on server and want to access it ONLY through interface I created in MS Access. Every user has to log in the application (user id and password). Users may have the same access rights to the server (so maybe just one account or whatever I need for all of them). Can anyone advice me how to set it up? To access sql server from MS Access I am using ADO.
Certain people in our company want to use Crystal Reports for data-processing. Problem is we want them to NOT be able to access data in databases within the live server.
Given that we use trusted connection to validate all kind of data-access, I am wondering if there is a way so that (via NT administration or via some SQL Server security features) the live-server can refuse any connection request from the Crystal Reports application. At the moment the same group of people are allowed access to database (and should remain to be so) on this "live" server via some other applications (e.g. Microsoft Access).
Hi there,I have written an application which uses MS Access for it's database engine.Due to the large size which the database has become I have decided that itwould be sensible to use SQL Server with the application instead.I am an extreme SQL Server newbie so I am not really sure what I'm doingyet! I have successfully downloaded and installed the MS SQLDE 2000 andservice pack 3.What do I need to do next? Ideally I would like to convert the existingAccess database to MS SQL Server format. Also I would like to know if it ispossible to create an SQL Server database from scratch using a guienvironment similar to Access and if so which software (preferably free) doI need to achieve this?Many thanks,Clive.
I have installed the SQL Server 2000 and its up running.
I can connect to the database direct as administrator, but my test application(asp.net 2.0) returns an exception.
SqlConnection sqlConn = new SqlConnection("data source=10.61.90.24;initial catalog=testdb;persist security info=False;user id=sa;pwd=data;Type System Version=SQL Server 2000;");
sqlConn.Open();
I receive this exception: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
I have a ASP.NET time sheet management application I designed - today I put it live on the webserver and recreated the database on my SQL 2000 server. When I attempt to view, all of the pages where I query the database I catch the error "SQL Server does not exist or access denied".
The concerning part of this is that I have tested the live database from my development PC (remote - offsite) and it works fine. This shows that the database that I brought over is intact and the user has the appropriate permissions. The only thing that I changed in the application when I copied it to the server was the connection string server name to reflect the location change.
The setup is as follows:
Development PC on a broadband connection running Windows 2003 server enterprise, SQL Server 2000 SP3a, Visual Studio 2003 Enterprise.
Web/Database/Email server running Windows 2003 Standard, SQL Server 2000 SP3a, Exchange 2003, Active Directory, DNS etc.
When I run the application on the Web server from a browser with local names ie. http:\SERVER1application I get the "SQL Server does not exist or access denied" errors. When I try to connect to the application on the web server from my development PC i get the same problem.
When I changed the connection string on my development PC to the webserver/dbserver it runs fine.
I don't understand how a local proccess is having difficulty authenticating to the database when I can access it remotely just fine.
My database knowledge are with MySql and Oracle, but recently I was asked to evaluate the migration of an existing (and maybe more) from ms access to sql server. My question is simple, if all of the sql are hard coded into the code ... how well this sql will work, I mean is the sql between access and sql server are plug'n'play ? However in any case, I always rewiew all of the sql.
First off, sorry if my cross posting offends anyone. I'm posting thisin Access and SQL Server groups - not sure which one is appropriate.I have a relatively simple ASP.NET/VB.NET application that is nowhitting an Access 2000 database over an intranet. We have to migratethe database to SQL Server 7. My experience with ASP.NET is prettylimited and my experience with SQL Server is nonexistent.We have an MSDN subscription, so I went to the downloads section to getSQL Server 7. Guess what? SQL Server 6.5 is available, as is 2000 and2005, but no SQL Server 7. So my first question is, does anyone know ifit is available for MSDN subscribers?The next question is, does anyone know of a good resource that explainshow to make the transition from Access 2000 to SQL Server 7? I know thedata has to be migrated and the connection between the application andthe database modified, but am really not sure exactly what to first andthe correct way to go about it. The application is a simple productconfigurator. There's not a lot of data and it's not a very complexdatabase.Thanks in advance. If you'd like, please copy responses tolcifers(AT)yahoo.com (AT) = @TIA.Cheers.- Luther
I am writing an Internet/Extranet based (ASP.Net 2.0) web application that uses SQL server 2005 as the database. I am using forms authentication on my web application. I am also storing the connection string to SQL server in my web config file. The conn string is encrypted using DPAPI with entropy. I currently have created a SQL login account on my SQL server for use by the web application. This is the user ID I am using in my conn string. The reason for this is because all persons using the application will NOT have a windows login.
Here is my question: The login I created currently has defaulted to the "dbo" role and therefore has "dbo" rights to the database. I want to setup up this login account so that all it can do is execute stored procedures. I dont want this SQL login to be able to do anything else. In my application I am using stored procedures for ALL data access functions, via a data access layer in my application. Can someone guide me step by step as to how to setup this type of access for this SQL login.
I've got a football (soccer for the yanks!) predictions league website that is driven by and Access database. It basically calculates points scored for a user getting certain predictions correct. This is the URL:
http://www.pool-predictions.co.uk/home/index.asp
There are two sections of the site however that have almost ground to halt now that more users have registered throught the season. The players section and league table section have gone progressively slower to load throughout the year and almost taking 2 minutes to load.
All the calculations are performed in the Access database Ive written and there are Access SQL queries to get the data out.
My question is, is how can I speed the bloody thing up! ! Somone has alos suggested to me that I use stored procedures and SQL Server to speed things up? Ive never used SQL Server before so I am bit scared about using it (Im only a hobbyist), and I dont even know what a SP is or does. How easy will it be upgrading the whole thing to SQL Server and will it be worth the hassle, bearing in mind I expect my userbase to keep growing? Do SP help speed things up significantly? Would appreciate some advice!
I'm using SQL Server to store session state. The Sql Server is on the local network but not on the web server. I use impersonation and use account credentials for the ASPNET worker process:
I've checked and given the user i'm impersonating the ability to do everything. I've granted access on all necessary files, added them to the DB and made the user a db_owner of the ASPState table. I can log in to a machine as the user, then access sql server using the windows authentication. I granted 'act as part of the operating system', 'access this computer from a network', 'log on as a service', 'log on as a batch job' on both the remote computer hosting sql server and the web server.
The strange thing is i installed the asp session state tables on my development machine, using the same configuration file to run everything, and was able to add an object to session state without any problem. But when i specify the remote server, i'm denied.
i use that to connect to the remote SQL server, which has status of port 1433 at "Stealth"... do i need to open the port complete, if yes how i do that ?
I want to access the other server from my Enterprise Manager by using <server_name>.<db_name>.<tab_name>.<procedure>/table_name.
Pls. let me know the steps I have to take I have added two remote logins in both the server. I also gave trusted right by using sp_remoteoption procedure and still I get the message 'the object <server_name> not accessible>
Please reply at the earliest, as I am right noe accessing the other servers data by bcp-out and bcpin into this server.............
I am trying to access SQL server remotely (over the internet). I would like to use query analyser as my front end tool. Can anyone point out the procedure to do the same. I have the IP address and the host string.
