Solved

User Module

Posted on 2006-07-10
6
366 Views
Last Modified: 2010-04-17
Hi guys,
I need to add some security to my application. But I don't know what could be the best option to do it. I have an application with three options, some users can access option 1 and 2 and others can access 3.
My applicacion is built in ASP.NET with sqlServer 2005.
What can I do? should I create a table and attach the info in the program? or what can I do?
0
Comment
Question by:Carolinat
  • 2
6 Comments
 
LVL 18

Expert Comment

by:JoseParrot
ID: 17073350
Hi,

It is difficult to bound relative security, as it depends on individual point of views. By assuming your application doesn't need a 128 bits cryptographic key, you can chose from simple algorithm to create a two collums list (ID and password), storing each data by using boolean operations with your own key to more intricated algorithm with real security at varying levels. There is a good paper on that second approach at http://csrc.nist.gov/nissc/1997/proceedings/128.pdf

A very basic simple (easy to hackers open, but enough for elementary protection) is given in the following pseudocode:

KEY ENTRY
1. You create a 32 ASCII key. It is the byte array KEY[1...4]
2. Call verify(key,32)
3. If OK, go ahead. Go 1 otherwise.

USER PASSWORD ENTRY
1. User enters an 8 ASCII password. It is userPW.
2. call verify(password,8)
3. If OK, go ahead. Go to 1 otherwise.
4. For each byte key of your 32 bits key do:
   SecureByteUser[1] = userPW XOR KEY[1]
   SecureByteUser[2] = userPW AND KEY[2]
   SecureByteUser[3] = userPW OR KEY[3]
   SecureByteUser[4] = sum(SecureByteUser[1,2,3]

function verify(string, len)
if compliant to rules return TRUE else return FALSE
(rules: 8 chars, must have 1..9, must have lower and upper case, etc.)

You can improve that by using the directions on the paper. As is, this is a extreme primitive algorithm, but it is a beggining. BTW, you will store the list in a SQLServer table just accessed by you (or by Admin).

Another strategy is to create groups with specific profiles such that the application checks for permissions, based on the groups. This is applicable if each user has his/her own SQL password or the application has different levels for each group.

Hope helps.

Jose
0
 
LVL 7

Expert Comment

by:yotamsher
ID: 17073843
Hey  Carolinat

It is not clear what you are asking for.
My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct?
how secure should it be?
are you moving some web application to the internet?
Is the computer containing the DB gonna be exposed to the internet?

sorry to ask so many questions, but well Servers security is tricky

Yotam
0
 

Author Comment

by:Carolinat
ID: 17074189
hi Yotam,

Here are my answers:

My guess is that you are talkin about permissioning mechanism + user authentication, meaning user has to pass through a login screen, and then only get the appropriate option.
Is that correct? YES

how secure should it be? FOR NOW IT'S FOR INTERNAL USE BUT IN A COUPLE MONTHS IT WILL HAVE TO BE FOR INTERNET ACCESS. I HAVE THE APPLICATION IN MY PC AND I NEED TO MOVE IT TO THE SERVER FOR TESTING AND FOR PRODUCTION.

are you moving some web application to the internet? NO

Is the computer containing the DB gonna be exposed to the internet? THE SERVER WILL HAVE BOTH THE APPLICATIONS AND  THE DATABASE.

WHAT IS THE BEST OPTION TO ADD SECURITY TO THE APLICATION?
0
 
LVL 18

Accepted Solution

by:
JoseParrot earned 500 total points
ID: 17156378
Hi Carolinat,

First, the 2 layers architecture is best solved by 2 separate servers: one for the application and the 2nd for the database. To be less expensive, we can run both database and application in just one server, but it is more exposed to security issues.

If the users log directly in the SQL Server base, then the permissions are set in the application commands to SQL. It is a simple solution.

If your application logs in SQL, your application must identify the users and grant them access to the application. In general, developers make a separate Access Module or Authentication Module. Even in this case, the access control by SQL Server is better.

So, you can create two user groups: user12 and user3. Each one has a login in the SLQ database. The Database Administrator, by using definitions created by the application owner, grants access to each table to the groups. In the application login, the individual user is identified as member of one or other group. From this point the SQL Server assumes the access control.

This way, the only you have is let SQL do the job.

Regards,

Jose
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
groupSum6 challenge 6 77
Program to display an alert on Windows Toolbar 2 71
oracle query help 18 99
Device same like our heart 12 77
This article will show, step by step, how to integrate R code into a R Sweave document
This is an explanation of a simple data model to help parse a JSON feed
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now