?
Solved

Security issues with Sybase ODBC connections?

Posted on 2004-09-21
9
Medium Priority
?
400 Views
Last Modified: 2008-03-10
We have a Sybase ASE 12.5.0.2 database on Win2k.  We have approximately 50 Win2k/WinXP workstations running a Visual Basic Front-end to retreive data from this database.  Data Access is via an ODBC connection using the Sybase ASE ODBC Driver.  The username/password combination is hidden in the VB-Application and is the same for all users.

The database server is in a secure environment and Windows Access Control is considered good.  The clients are in a non-secure environment and Access Control is poor.

We have disabled the application if it discovers that Tracing has been switched on.

What are other security issues we need to think about?  Do you have any recommended solutions?
0
Comment
Question by:ErichN
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114102
Does the application allow the users to create and pass through query strings?

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114144
Even though the user/password are hidden in the exe, it can be retrieved.  What kind of permission does this login id have?

It should be limited to executing store procedures and/or running selects on views.

Leon
0
 

Author Comment

by:ErichN
ID: 12114727
Leon,

The application completely controls the creation of query strings. I am not concerned about anything the application does - this is well controlled.  I am concerned about the contents of one table, which the user needs read/write access to.  The application restricts access to certain rows in that table.  I am concerned that if the username/password combination became known, access to the whole table would be possible.

The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 29

Expert Comment

by:leonstryker
ID: 12114798
>>the user needs read/write access to

Why?  Allow access only through store procedures.  No table access should be given.

>>The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.

Yes, this will make it more difficult to retrieve (but not impossible).

In general, I am surprised you do not track induvidual user access through their logon ids.

Leon
0
 

Author Comment

by:ErichN
ID: 12115207
>> Allow access only through store procedures.  No table access should be given.

This would be a major rewrite - but yes I understand what you are saying and will check this out more.

>> In general, I am surprised you do not track induvidual user access through their logon ids.

Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.
0
 
LVL 29

Accepted Solution

by:
leonstryker earned 1600 total points
ID: 12115411
>>Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.

Have you checked this for dynamic SQL access?  Try this, start the application then the id and password screen comes up type nothing for id and for password type this:

' OR 1=1

If this lets you in, you have a big security hole.

Leon

0
 
LVL 14

Expert Comment

by:Jan Franek
ID: 12116957
You should also check, whether you have set-up password encryption - otherwise login name and password can be retrieved from captured network comunication. If you want to secure all the communication, use SSL.
0
 

Author Comment

by:ErichN
ID: 12120096
Leon,
I have tested and there is no problem with ' OR 1=1.
In addition, even if they managed to trick the login somehow, a user with an incorrect pseudo username does not have access to the data I want to protect (governed by the application).

Jan Franek,
Where and how do I set up password encryption?

How do I use SSL?

0
 
LVL 14

Expert Comment

by:Jan Franek
ID: 12120538
On the client's side you can set it in ODBC DSN properties - I think it's on Connection tab. However it need's some changes on server side too - check your Sybase manuals.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog post, we’ll look at how using thread_statistics can cause high memory usage.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question