I am having some major problem with maintaining security for my windows
application to the SQL. Currently my application access the SQL using
System.Data.SqlClient and all forms use stored procedures. It seems the
preferred method is to restrict access to all table and then to set the
execute option based on each stored procedure and handle the error in some
intelligent way. Now this is causing several problems the first being
setting the correct access on the several hundred stored procedures and the
second being changing each user access whenever a new stored procedure is
added. Both are becoming maintenance nightmares.
Now I would prefer to set the permission in my application and save the
passwords in a protected file but this creates a problem on remote systems
whereas the passwords can't be set from a central location so I don't see it
as feasible.
I was thinking of creating a small service that could run on a central
server to verify passwords and instruct my application on how to set behave
but this does not stop the user from just bypassing my application and
access the SQL directly. The preferred method would be not to allow them
access to the SQL at all but have my program act as a conduit which would
handle the security. But I am not sure how feasible this is. The other
option would be for the service to verify the user name against the SQL and
send the correct login to the application. This would at least hide the
login data assuming a secure connect.
Does anyone know of a better way of handling this?
Regards,
John
