Questions on .NET in regards to SQL Security.

[Guest]

Howdy all. I posted this in the SQL newsgroups but got no response, so I
thought I'd try here. I'm a SQL DBA, not a .NET developer, so please forgive
me if my concepts/ verbage are slightly incorrect.

SQL2K SP4

The apps that connect to my SQL DB's (for internet use) use SQL
authentication (the app login so to speak). Anyways, a Java developer showed
me that he built into his app a way to retrieve that app login and password
from SQL Server. Obviously I wasn't very happy about this. So my questions:

1; Does anyone know if the same thing can be done using .NET code?
2; I've heard of a method using .Net Web Services (WS) for using WINNT
authentication even for internet apps. It would be that the app calls a WS,
that WS the passes in WIINT authentication to the DB and all is good. Has
anyone else out there used this type of security? Is there a link you can
provide?
3; If number 2 is implemented, does it then eliminate the possibility of
apps being able to retieve the sensitive information?

TIA, ChrisR

 

[Steven Nagy]

Hi Chris,

Well I'm interested in seeing this Java app. I am wondering the the
problem is not so much with the abilities of Java as opposed to the
security mechanisms on the SQL Server.
You can bet that if it can be done in Java, it can be done in .NET as
well.

Web sites and services can be configured to use NT authentication.
Particularly the new WCF stuff in .NET 3.0 easy to configure for
different authentication mechanisms.
I don't have a link handy though.

In your case, I'd be looking at how the username/password is obtained
by the Java app. Is the person running the Java app while logged in as
a user who also has access to all the tables in the Master db? (eg.
sysxlogins, etc)

 

[Guest]

The developer claims that he is able to query the configuration file from the
app.