Solved

Thick client application security (C# <-> SQL Server 2008 Express) .NET 4. Looking for good advice here

Posted on 2010-09-07
8
1,077 Views
Last Modified: 2012-06-21
"Standard" thick client application.
Existing application, this means that major refactoring will take a lot of time. Application is moving from inhouse solution to product. Making it a 3-tier application is not an option at the moment.
I am not intending to overdo the security bit but I do not want to make really basic mistakes. This software will be located at customer locations and I need a good security architecture that we can stand behind.

SQL statements are currently written in the client code. All statements follows "Prepared Statement" format (named parameters), no string concatenations are made. That should prevent SQL injection.

Encrypted connection between client and database
Passwords will be hashed in the client and validated at the database
Sensitive information in SQL Server tables will be encrypted using SQL Server's encryption features
Client will check that the user belongs to a certain Active Directory user group
C# assemblies will be obsfucated, encrypted using some software intended for this use. I was looking at Remotesoft's Salamander but that is not an option anymore. Perhaps {smartassembly}

Here you can get some info on security issued concerning thick clients.
Client/Server Security Assessment and Awareness
Thick Client Application Security

Application has it's own login for the users and uses only one account with the database. Any ideas on this? How do I store database login at the client location? In the resource file?
Other considerations?
0
Comment
Question by:jerra
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 20

Accepted Solution

by:
Marten Rune earned 500 total points
ID: 33617266
You don't

If you want security, deploy your thick application using AD, grant this AD group the necessary rights to the database. If you want to do this correctly, rewrite all sql statements in the thick application to use stored procs instead, with parameters ofcourse. Now grant execute to this AD group on the stored procedures.

You now hava a security solution that relies on kerberos authentication, should a user want to do anything unauthorized, he can't since all he can do is execute the stored procedures designed by you, the underlying tables are of limits for the users in this AD group.

Regards Marten
0
 

Author Comment

by:jerra
ID: 33617317
Thanks!
Ok, with your recommended changes made do you see other obvious security problems?

Just one thought that came to mind. What if the customer doesn't use AD? Just a single computer or two. (argh so much to consider)

0
 

Author Comment

by:jerra
ID: 33617365
Nevermind, we'll think of some way to bundle SQL Server with our software in these cases where the customer doesn't use AD.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:jerra
ID: 33617383
I am assuming you mean that this type of architecture then uses SSPI connection type?
0
 
LVL 20

Expert Comment

by:Marten Rune
ID: 33618062
Quote: 'I am assuming you mean that this type of architecture then uses SSPI connection type?'

SSPI = integrated = kerberos = Yes! Ofcourse
:-)

Good luck. If you have any more questions, fire away.
//Marten
0
 

Author Comment

by:jerra
ID: 33620610
OK thanks.
When you wrote "deploy your thick application using AD" does it have to be deployed through Group Policy? Can't it be installed normally?
0
 
LVL 20

Expert Comment

by:Marten Rune
ID: 33622156
yea it can, but you are missing the point. the ad group both deployes the app and grants the rights to execute the stored procs. it makes a neat package

\\Maryen
0
 

Author Comment

by:jerra
ID: 33624382
Personally I am not too familiar with AD and how to deploy software using policies but I will pass the information on! Thanks a lot!
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problem to copy file 14 45
Change this SQL to get all nodes 3 37
How come this XML node is not read? 3 27
firewall log 4 32
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question