 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Distributed Applications / April 2005MS SQL Server 2000
Hi, If I have a distributed application where the database is accessed over a WAN, how should the login and the access control be done, in the database? There will be several different users with different access rights. The app needs to be highly secure. /Johan Hi Johan, Which method of security depends on you really, all can be made as secure (from a access to the database perspective). It all depends on the amount of administration you want, and the client. If the client is a website that you control, you can use a single login to the database, and allow the website to control access to the database. Since the website is under your control, the database user is never known by the clients. This is pretty standard. If it's a windows forms appication, you may want to consider using SQL server built in users. This adds additional administration on the database, but it is already built in. It will also influence your design of the client, as you can no longer assume you have full access to every column of every database. The main difference is that the client application doesn't KNOW it's access, it has to attempt to do something and fail. You can also use the website approach on the client, but then the database username/password will be "out in the wild" in the client applications. Depending on your requirements on security, you also have 2 addition concerns: 1) Encrypting the data - what if someone got the SA password, is the data that sensitive? 2) Encryption network transmissions. You're on a WAN, so I'm asusming this is all internal. Do you need to encrypt the network traffic internally? HTH, Steve > Hi, > If I have a distributed application where the database is accessed over [quoted text clipped - 4 lines] > > /Johan Thanx for the reply Steve, I have figured out a sugestion for how I could implement the database access. Maybe you or someone else can give me feedback or any suggestions of improvment. The client will be a Windows form application. The access (record access in the database tables) will be checked manually in stored procedures. > Depending on your requirements on security, you also have 2 addition > concerns: > 2) Encryption network transmissions. You're on a WAN, so I'm > asusming this is all internal. Do you need to encrypt the network > traffic internally? I am planning to use .NET remoting via IIS (+binary formatter) and ssl over the WAN, is this a good idea? I have read that it is faster than using Web services. > 1) Encrypting the data - what if someone got the SA password, is the > data that sensitive? The login to the database will be done via Windows authentication, and the user will not have administrator rights. As I understand it, I can make this login on the same machine as the database is on, from my "remoting service", without using any login information, I just need to run the "remoting service" as the same user. In the database I then have the application login data, to authenticate the real users. (This is stored as hashvalues) I might also use EFS (encrypted file system) for the database, but I am not sure if it is needed. Johan Johan, RE: Remoting. What speed is the WAN? Binary formatting isn't necessarily "faster" it just requires less data to travel over the network. Big XML versus relatively small binary data. If you have a decent speed WAN, then I wouldn't go binary, especially if it's more troublesome. Over a local network, unless you're dumping huge amounts of data, it probably isn't a big deal. Remember with remoting, the actual instantiation of an object exists on the remote machine (using the remote machine's memory/cpu/etc) . This may or may not be what you intended. I'm not sure why your would go the remoting path (or distributed). It seems like more than just a client server application that you are working on. I guess you want a middle tier (the remoting server)? Generally, I would just do client directly to database, but I am also mostly used to writing web-based applications also. Finally, with regards to the database access, Windows authentication is fine, but it means that your sql server needs to be on the domain, or that you will need to create local Windows accounts on the machine. Generally, atleast in my line of work, we don't put production servers on a domain. For controlling access, I wouldn't attempt to rewrite the wheel. I'd rather admin sql server logins/users which can give me column level security to the database. (I don't think it does row level). So I guess my reasoning is that you might as well use sql server's internal security since I would admin the users on the SQL server level anyway. Didn't mean to write so much, and I hope it makes sense. Steve > Thanx for the reply Steve, > [quoted text clipped - 32 lines] > > Johan Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.