473,466 Members | 1,462 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Security Tips

Dear all,

I'm designing a system including the database and the security
represents the most crucial aspect of the system; hence for the
database security i have implemented the following aspects and need
your advise on further aspects or perhaps corrections where by the
system is web based using asp.net and under iis 6.0 with https; in the
asp.net engine side, i have included client-side validations for what
ever is inputed and validated against sql injections for postback
forms:
The features of security in SQL Server 2005 side i have implemented:
1.) Created MACHINE\ASPNET Account
2.) Allowed ASPNET Account to access the DB
3.) Explicity denied ASPNET Account all permissions to all tables,
functions and views
4.) Denied all permissions to the ASPNET user for stored procedures
except EXECUTE permissions
5.) By Stored procedure creation, WITH ENCRYPTION, EXECUTE AS
'MACHINE\ASPNET' was used

No SQL was included in the asp.net code except for calling stored
proccedures; the policy is to only call stored procedures within the
asp.net pages and encrypt the connection strings inside the web.config
file.

Kindly, give me some guidelines for better security or discuss with me
the security aspects i mentioned

Regards

Dec 20 '06 #1
1 1262
coosa (co*****@gmail.com) writes:
I'm designing a system including the database and the security
represents the most crucial aspect of the system; hence for the
database security i have implemented the following aspects and need
your advise on further aspects or perhaps corrections where by the
system is web based using asp.net and under iis 6.0 with https; in the
asp.net engine side, i have included client-side validations for what
ever is inputed and validated against sql injections for postback
forms:
The features of security in SQL Server 2005 side i have implemented:
1.) Created MACHINE\ASPNET Account
2.) Allowed ASPNET Account to access the DB
3.) Explicity denied ASPNET Account all permissions to all tables,
functions and views
4.) Denied all permissions to the ASPNET user for stored procedures
except EXECUTE permissions
5.) By Stored procedure creation, WITH ENCRYPTION, EXECUTE AS
'MACHINE\ASPNET' was used

No SQL was included in the asp.net code except for calling stored
proccedures; the policy is to only call stored procedures within the
asp.net pages and encrypt the connection strings inside the web.config
file.
What you don't say is how you call the stored procedures. You should
be using CommandType.StoredProcedure. If you use EXEC statements, you
may still be open to SQL injection.

I'm not sure that I see the point with the EXECUTE AS clause, but as
long as all connections are by the ASPNET user, it should matter much
anyway.

--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pro...ads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinf...ons/books.mspx
Dec 20 '06 #2
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
MySQL security of Data
by: zzapper | last post by:
Hi, Although I'm gradually getting the hang of working with MySql, can do a pretty mean query!! I realise I know nowt about security. Is security basically done outside MySQL ie with https:// and...
MySQL Database
2
Disabling Security Warning Box
by: Mark Lees | last post by:
I want to disable the security warning box that appears when I open a DB. It asks if I want to open this file. It is annoying. I understand that I am suppose to change the macro security...
Microsoft Access / VBA
4
Database Security
by: Ant | last post by:
I am trying to apply security to a database I have just finished. The application is split into a back end of tables and a front end of forms etc. I need some users to have access to forms based on...
Microsoft Access / VBA
3
Apply security permission in class library, fail to call it out!
by: Chua Wen Ching | last post by:
Hi there, I had applied this security permissions in my class library based on fxcop standards. Before namespace: using System.Runtime.InteropServices; using System.Security.Permissions;
C# / C Sharp
17
User/Group Security -- Just How Bad Is It?
by: TC | last post by:
In the past I always regarded user/group security as fairly tight. It is tricky to implement, but once implemented properly, it can't be cracked except through a dedicated effort. Recently,...
Microsoft Access / VBA
3
Looking for PHP security tips
by: Karl Nierler | last post by:
Hi everybody, I am currently developing my first commercial (customer specific) PHP application. This application is in fact nothing else than a content management system with internal...
PHP
1
Security
by: rwd | last post by:
I have mistakenly set security on a database set (access 2003) and now I am the only one who can open the file. Is there a way to clear out the security. I have gone in and assign rights to the...
Microsoft Access / VBA
18
Is UserLevel Security Really Necessary?
by: Earl Anderson | last post by:
First, I feel somewhat embarrassed and apologetic that this post is lengthy, but in an effort to furnish sufficient information (as opposed to too little information) to you, I wanted to supply all...
Microsoft Access / VBA
3
Security warnings
by: Salad | last post by:
On one computer I am getting the message "This file may not be safe if it contains code that was intended to harm your computer. Open It?" and on my computer I didn't get that message when I...
Microsoft Access / VBA
1
Security Warning - this file may not safe...
by: jackbenimble999 | last post by:
Hello! Every time I open my application (written in MS 2003 after being converted from a previous edition), I get the message "This file may not be safe if it contains code that was intended to...
Microsoft Access / VBA
1
Is that possible of reading the .csv file in column wise and the column have different lengths ?
by: Sonnysonu | last post by:
This is the data of csv file 1 2 3 1 2 3 1 2 3 1 2 3 2 3 2 3 3 the lengths should be different i have to store the data by column-wise with in the specific length. suppose the i have to...
C / C++
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
1
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General
0
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
0
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
C# / C Sharp
0
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The...
Networking - Hardware / Configuration
0
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us