Link to home
Create AccountLog in
Avatar of quickdan
quickdan

asked on

ADODB Security

I have a question about using Access connecting to an DSN less ADODB connection to a MSSQL Database on the web. I need to get a feel for how secure it is. Perhaps you could give me opinions and references.

I realize that nothing is REALLY Secure on the Web, I just looking for a reasonable application of security.
I'm wanting to store Sales information - no Socials or Credit Card Numbers.

I'm writing unbounded forms that connect via ADODB to an MSSQL Database located on the web to populate the form..
There's no Sales Data in the application. The username and password to connect to MSSQL are input by the user when the app starts. This is in Access 2007 and will be finally saved as an ACCDE file extension.

How does this setup look to you gurus and any suggestions?

Thanks
quickdan
Avatar of quickdan
quickdan

ASKER

I guess my main question is how is the user name and password sent.
Is it encrypted?
If encrypted, how secure in the encryption?

Thanks
quickdan
Avatar of Scott McDaniel (EE MVE )
If I'm not mistaken, the ADO connection will provide security during the "transit" period ... so a hacker couldn't grab the stream and get the credentials. I may be wrong on this, but it's always been my understanding ...

This link might provide some insight:
http://msdn2.microsoft.com/en-us/library/ms676709.aspx
It's also my understanding that there's security in transit too but I'm needing to be more specific to those frowning faces. The Link is on browser ADO security connection information - stuff that's not working now etc.
I'm after something like - it 64bit encryption or it's microsoft concoction and ver 2.8 has no known issues or there are issues but the work around is...

I did start this project in a Browser using Java Script, Ajax, php and MYSQL, then I realized how many months it was going to take me. I wrote what I was after in a couple of weeks in Access but now I'm having to justify it. In general I've stopped tell people I develop in Access (they'd say "Wow, it's amazing what you've done taking Access to it's limits but Access is not a real development tool"). Which makes my blood boil. I've barely started with getting familiar with all the libaries in Access. I tell 'em now it's written in Office VB and MSSQL - it shuts most people up. Plus the new file extention ACCDE is going to confuse them for a short while.

Any how, I'm also trying to get a feel for the ADO connection to MSSQL and what information I would be comfortable going across the connection and being stored in MSSQL. (Obviously security is a bigger subject like what you use for passwords, how often they're changed etc but that's policy for the administrator and the users - a user with a post-it stuck to the front of their laptop with the username and password (which happens to be their name and birthdate) sat in an internet cafe with a dozen pimply faced tennagers looking over their shoulder while typing furiously on their state of the art Alienware Laptops is not someing I want to get into.

OK I'm rambling....
Thanks
quickdan
I did find an article that says the username and password is encrypted but not data.
There's "Integrated Security='SSPI'" but this would have to be setup to work on the host side.
AFAIK there is no data encryption. I suppose you could setup something of that nature through external means (i.e. encrypt on the client, then transfer and then decrypt on the server before inserting) but that might not be what you're looking for.
I just had a chat with the Internet MSSQL provider. They are suggesting SSL.
I know nothing about SSL yet.
OK that's bogus, SSL is only for websites.
I have a ticket into the host providers next level of support to see what they suggest.

The long and short of it seems to be the username and password are encrypted but the data is not.
So, people could easily see the data being passed back to Access.
(I'm sniffer trained so I know how easy this is).

Ok, so now there's the option for Integrated Security='SSPI'
Current don't know how this works.
ASKER CERTIFIED SOLUTION
Avatar of Scott McDaniel (EE MVE )
Scott McDaniel (EE MVE )
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
So it looks like SSPI is purely and authentication system. Once authenticated everything is the same - clear text data. Which brings us to the end.
Good aricle. Thanks

Thanks for going through this with me.

quickdan