Millkind
asked on
When sending a sql command to the server over a network how secure is it?
I am looking into writing some register software. It will need to communicate with a SQL server over an open network. What is the best approach to make it difficult for someone to intercept the SQL command and use it for nefarious actions. I will be using vb.net to write the software.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wouldn't they be able to see the connection string and get the password from there?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okay good to know. Wasn't sure how to properly word my original question. I thought that the sql statements and connection string got combined when a query was executed.
ASKER
If I use Integrated Security=SSPI and my network admins require each user on the register to log onto the machine it seems that each user will need to have access granted to the server.
Not to the server. Users needs only to have permissions on application and database. There's no need to grant them access to any server. Always give the low permissions possible.
ASKER
Understood. However still means granting on average 50 people rights to the database at any one time. Also with a turnover rate of 10 people every 6 months the over head. However that is the price for security. I'm going to let this question open for a few more days in case something else comes up.
ASKER
It seems I could set up a service on the server and communicate to it from the application. The communication would be encrypted. The service would do all the queries and just send responses based on the query run. The service would communicate from the server to the server so should be pretty secure.
If they are all AD users, then the easy way is to create a group in AD where those users will be added into. Then you'll only need to give permissions to that group in SQL Server so you won't need to add or remove more users in the future.
And if (s)he have access to the database (s)he can do whatever (s)he want. Wouldn't need your SQL commands for nothing.