Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 364
  • Last Modified:

ADODB Security

I have a question about using Access connecting to an DSN less ADODB connection to a MSSQL Database on the web. I need to get a feel for how secure it is. Perhaps you could give me opinions and references.

I realize that nothing is REALLY Secure on the Web, I just looking for a reasonable application of security.
I'm wanting to store Sales information - no Socials or Credit Card Numbers.

I'm writing unbounded forms that connect via ADODB to an MSSQL Database located on the web to populate the form..
There's no Sales Data in the application. The username and password to connect to MSSQL are input by the user when the app starts. This is in Access 2007 and will be finally saved as an ACCDE file extension.

How does this setup look to you gurus and any suggestions?

Thanks
quickdan
0
quickdan
Asked:
quickdan
  • 7
  • 3
1 Solution
 
quickdanAuthor Commented:
I guess my main question is how is the user name and password sent.
Is it encrypted?
If encrypted, how secure in the encryption?

Thanks
quickdan
0
 
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
If I'm not mistaken, the ADO connection will provide security during the "transit" period ... so a hacker couldn't grab the stream and get the credentials. I may be wrong on this, but it's always been my understanding ...

This link might provide some insight:
http://msdn2.microsoft.com/en-us/library/ms676709.aspx
0
 
quickdanAuthor Commented:
It's also my understanding that there's security in transit too but I'm needing to be more specific to those frowning faces. The Link is on browser ADO security connection information - stuff that's not working now etc.
I'm after something like - it 64bit encryption or it's microsoft concoction and ver 2.8 has no known issues or there are issues but the work around is...

I did start this project in a Browser using Java Script, Ajax, php and MYSQL, then I realized how many months it was going to take me. I wrote what I was after in a couple of weeks in Access but now I'm having to justify it. In general I've stopped tell people I develop in Access (they'd say "Wow, it's amazing what you've done taking Access to it's limits but Access is not a real development tool"). Which makes my blood boil. I've barely started with getting familiar with all the libaries in Access. I tell 'em now it's written in Office VB and MSSQL - it shuts most people up. Plus the new file extention ACCDE is going to confuse them for a short while.

Any how, I'm also trying to get a feel for the ADO connection to MSSQL and what information I would be comfortable going across the connection and being stored in MSSQL. (Obviously security is a bigger subject like what you use for passwords, how often they're changed etc but that's policy for the administrator and the users - a user with a post-it stuck to the front of their laptop with the username and password (which happens to be their name and birthdate) sat in an internet cafe with a dozen pimply faced tennagers looking over their shoulder while typing furiously on their state of the art Alienware Laptops is not someing I want to get into.

OK I'm rambling....
Thanks
quickdan
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
quickdanAuthor Commented:
I did find an article that says the username and password is encrypted but not data.
There's "Integrated Security='SSPI'" but this would have to be setup to work on the host side.
0
 
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
AFAIK there is no data encryption. I suppose you could setup something of that nature through external means (i.e. encrypt on the client, then transfer and then decrypt on the server before inserting) but that might not be what you're looking for.
0
 
quickdanAuthor Commented:
I just had a chat with the Internet MSSQL provider. They are suggesting SSL.
I know nothing about SSL yet.
0
 
quickdanAuthor Commented:
OK that's bogus, SSL is only for websites.
I have a ticket into the host providers next level of support to see what they suggest.

The long and short of it seems to be the username and password are encrypted but the data is not.
So, people could easily see the data being passed back to Access.
(I'm sniffer trained so I know how easy this is).

Ok, so now there's the option for Integrated Security='SSPI'
Current don't know how this works.
0
 
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
Integrated Security deals with logins and Windows usernames (i.e. allows a logged in Windows user to access the SQL Server). I don't think that's gonna help you with data. SSL only deals with security regarding the actual site, as you mention, and won't do what you want.

Here's an article on SQL Server encryption:
http://www.databasejournal.com/features/mssql/article.php/3483931




0
 
quickdanAuthor Commented:
So it looks like SSPI is purely and authentication system. Once authenticated everything is the same - clear text data. Which brings us to the end.
0
 
quickdanAuthor Commented:
Good aricle. Thanks

Thanks for going through this with me.

quickdan
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now