Solved

Security issues with Sybase ODBC connections?

Posted on 2004-09-21
9
365 Views
Last Modified: 2008-03-10
We have a Sybase ASE 12.5.0.2 database on Win2k.  We have approximately 50 Win2k/WinXP workstations running a Visual Basic Front-end to retreive data from this database.  Data Access is via an ODBC connection using the Sybase ASE ODBC Driver.  The username/password combination is hidden in the VB-Application and is the same for all users.

The database server is in a secure environment and Windows Access Control is considered good.  The clients are in a non-secure environment and Access Control is poor.

We have disabled the application if it discovers that Tracing has been switched on.

What are other security issues we need to think about?  Do you have any recommended solutions?
0
Comment
Question by:ErichN
  • 4
  • 3
  • 2
9 Comments
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114102
Does the application allow the users to create and pass through query strings?

Leon
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114144
Even though the user/password are hidden in the exe, it can be retrieved.  What kind of permission does this login id have?

It should be limited to executing store procedures and/or running selects on views.

Leon
0
 

Author Comment

by:ErichN
ID: 12114727
Leon,

The application completely controls the creation of query strings. I am not concerned about anything the application does - this is well controlled.  I am concerned about the contents of one table, which the user needs read/write access to.  The application restricts access to certain rows in that table.  I am concerned that if the username/password combination became known, access to the whole table would be possible.

The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.
0
 
LVL 29

Expert Comment

by:leonstryker
ID: 12114798
>>the user needs read/write access to

Why?  Allow access only through store procedures.  No table access should be given.

>>The password is stored in various variables in different modules of the application and only put together into one string before connecting to the database - I hoped this would make it difficult to retreive.

Yes, this will make it more difficult to retrieve (but not impossible).

In general, I am surprised you do not track induvidual user access through their logon ids.

Leon
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 

Author Comment

by:ErichN
ID: 12115207
>> Allow access only through store procedures.  No table access should be given.

This would be a major rewrite - but yes I understand what you are saying and will check this out more.

>> In general, I am surprised you do not track induvidual user access through their logon ids.

Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.
0
 
LVL 29

Accepted Solution

by:
leonstryker earned 400 total points
ID: 12115411
>>Well we do have 'application login' which allows us to track their access. It is not based on sybase users, but a table with 'application user/password' combination.

Have you checked this for dynamic SQL access?  Try this, start the application then the id and password screen comes up type nothing for id and for password type this:

' OR 1=1

If this lets you in, you have a big security hole.

Leon

0
 
LVL 14

Expert Comment

by:Jan_Franek
ID: 12116957
You should also check, whether you have set-up password encryption - otherwise login name and password can be retrieved from captured network comunication. If you want to secure all the communication, use SSL.
0
 

Author Comment

by:ErichN
ID: 12120096
Leon,
I have tested and there is no problem with ' OR 1=1.
In addition, even if they managed to trick the login somehow, a user with an incorrect pseudo username does not have access to the data I want to protect (governed by the application).

Jan Franek,
Where and how do I set up password encryption?

How do I use SSL?

0
 
LVL 14

Expert Comment

by:Jan_Franek
ID: 12120538
On the client's side you can set it in ODBC DSN properties - I think it's on Connection tab. However it need's some changes on server side too - check your Sybase manuals.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Note: This is the second blog post in a series on email clearinghouses (https://www.xmatters.com/alert-management/blog-email-has-failed-us?utm_campaign=70138000000ydLoAAI&utm_source=exex&utm_medium=article&utm_content=blog-post).   Every month t…
: Microsoft Office Collaborate for free and online versions of Microsoft  Word, Excel, Powerpoint, OneNote, Onedrive , Email, Calendar etc. In short we can say that Microsoft office is a suite of servers, applications and services developed by  Micr…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now