471,089 Members | 1,342 Online
Bytes | Software Development & Data Engineering Community
Post +

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 471,089 software developers and data experts.

Questions on .NET in regards to SQL Security.

Howdy all. I posted this in the SQL newsgroups but got no response, so I
thought I'd try here. I'm a SQL DBA, not a .NET developer, so please forgive
me if my concepts/ verbage are slightly incorrect.

SQL2K SP4

The apps that connect to my SQL DB's (for internet use) use SQL
authentication (the app login so to speak). Anyways, a Java developer showed
me that he built into his app a way to retrieve that app login and password
from SQL Server. Obviously I wasn't very happy about this. So my questions:

1; Does anyone know if the same thing can be done using .NET code?
2; I've heard of a method using .Net Web Services (WS) for using WINNT
authentication even for internet apps. It would be that the app calls a WS,
that WS the passes in WIINT authentication to the DB and all is good. Has
anyone else out there used this type of security? Is there a link you can
provide?
3; If number 2 is implemented, does it then eliminate the possibility of
apps being able to retieve the sensitive information?

TIA, ChrisR

Oct 10 '06 #1
2 1120
Hi Chris,

Well I'm interested in seeing this Java app. I am wondering the the
problem is not so much with the abilities of Java as opposed to the
security mechanisms on the SQL Server.
You can bet that if it can be done in Java, it can be done in .NET as
well.

Web sites and services can be configured to use NT authentication.
Particularly the new WCF stuff in .NET 3.0 easy to configure for
different authentication mechanisms.
I don't have a link handy though.

In your case, I'd be looking at how the username/password is obtained
by the Java app. Is the person running the Java app while logged in as
a user who also has access to all the tables in the Master db? (eg.
sysxlogins, etc)

Howdy all. I posted this in the SQL newsgroups but got no response, so I
thought I'd try here. I'm a SQL DBA, not a .NET developer, so please forgive
me if my concepts/ verbage are slightly incorrect.

SQL2K SP4

The apps that connect to my SQL DB's (for internet use) use SQL
authentication (the app login so to speak). Anyways, a Java developer showed
me that he built into his app a way to retrieve that app login and password
from SQL Server. Obviously I wasn't very happy about this. So my questions:

1; Does anyone know if the same thing can be done using .NET code?
2; I've heard of a method using .Net Web Services (WS) for using WINNT
authentication even for internet apps. It would be that the app calls a WS,
that WS the passes in WIINT authentication to the DB and all is good. Has
anyone else out there used this type of security? Is there a link you can
provide?
3; If number 2 is implemented, does it then eliminate the possibility of
apps being able to retieve the sensitive information?

TIA, ChrisR
Oct 10 '06 #2
The developer claims that he is able to query the configuration file from the
app.

"Steven Nagy" wrote:
Hi Chris,

Well I'm interested in seeing this Java app. I am wondering the the
problem is not so much with the abilities of Java as opposed to the
security mechanisms on the SQL Server.
You can bet that if it can be done in Java, it can be done in .NET as
well.

Web sites and services can be configured to use NT authentication.
Particularly the new WCF stuff in .NET 3.0 easy to configure for
different authentication mechanisms.
I don't have a link handy though.

In your case, I'd be looking at how the username/password is obtained
by the Java app. Is the person running the Java app while logged in as
a user who also has access to all the tables in the Master db? (eg.
sysxlogins, etc)

Howdy all. I posted this in the SQL newsgroups but got no response, so I
thought I'd try here. I'm a SQL DBA, not a .NET developer, so please forgive
me if my concepts/ verbage are slightly incorrect.

SQL2K SP4

The apps that connect to my SQL DB's (for internet use) use SQL
authentication (the app login so to speak). Anyways, a Java developer showed
me that he built into his app a way to retrieve that app login and password
from SQL Server. Obviously I wasn't very happy about this. So my questions:

1; Does anyone know if the same thing can be done using .NET code?
2; I've heard of a method using .Net Web Services (WS) for using WINNT
authentication even for internet apps. It would be that the app calls a WS,
that WS the passes in WIINT authentication to the DB and all is good. Has
anyone else out there used this type of security? Is there a link you can
provide?
3; If number 2 is implemented, does it then eliminate the possibility of
apps being able to retieve the sensitive information?

TIA, ChrisR

Oct 11 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

8 posts views Thread by Beatrice Rutger | last post: by
4 posts views Thread by Trevor Best | last post: by
3 posts views Thread by mar10 | last post: by
4 posts views Thread by Ramesh | last post: by
2 posts views Thread by Tom | last post: by
2 posts views Thread by Anthony Nystrom | last post: by
14 posts views Thread by Lars Netzel | last post: by
1 post views Thread by Markus Stehle | last post: by
3 posts views Thread by Phil Lee | last post: by

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.