Home All Groups Group Topic Archive Search About

Office XP... Secure?

microsoft.public.vb.general.discussion
Author
21 Sep 2005 6:43 PM
Rick
Suppose I have an appliation made in VB6 which connects to SQL2000.
The applications creates a DSN(old style) to connecto to the server.
The user has a login an a password to use the application. The server
validades Windows NT login.

Every effort had been made to protect the database from intruders.
So far so good...

Next day, comes Clarck Kent and connects to the server simply by using the DSN
and Excel 2000!!! He can browse, update and delete files!!!

How can I avoid such intruder.

Thank you...    waitng for replies...

--
Rick

Author
21 Sep 2005 6:54 PM
Paul Clement
On Wed, 21 Sep 2005 11:43:03 -0700, "Rick" <R***@discussions.microsoft.com> wrote:

¤ Suppose I have an appliation made in VB6 which connects to SQL2000.
¤ The applications creates a DSN(old style) to connecto to the server.
¤ The user has a login an a password to use the application. The server
¤ validades Windows NT login.
¤
¤ Every effort had been made to protect the database from intruders.
¤ So far so good...
¤
¤ Next day, comes Clarck Kent and connects to the server simply by using the DSN
¤ and Excel 2000!!! He can browse, update and delete files!!!
¤
¤ How can I avoid such intruder.

Either don't use a DSN (use a DSN-less connection instead with OLEDB) or don't include the user ID
and password in the DSN.

You can also use integrated Windows security w/SQL Server so that no user ID or password is supplied
when the user connects.


Paul
~~~~
Microsoft MVP (Visual Basic)
Author
21 Sep 2005 7:05 PM
Rick
The DSN conexion uses Windows NT Autentication, so passwords are not
included. On the other hand, some computers(old Windows style) don`t accept
DSN-less conections, I have had some problems with this.



--
Rick


Show quoteHide quote
"Paul Clement" wrote:

> On Wed, 21 Sep 2005 11:43:03 -0700, "Rick" <R***@discussions.microsoft.com> wrote:
>
> ¤ Suppose I have an appliation made in VB6 which connects to SQL2000.
> ¤ The applications creates a DSN(old style) to connecto to the server.
> ¤ The user has a login an a password to use the application. The server
> ¤ validades Windows NT login.
> ¤
> ¤ Every effort had been made to protect the database from intruders.
> ¤ So far so good...
> ¤
> ¤ Next day, comes Clarck Kent and connects to the server simply by using the DSN
> ¤ and Excel 2000!!! He can browse, update and delete files!!!
> ¤
> ¤ How can I avoid such intruder.
>
> Either don't use a DSN (use a DSN-less connection instead with OLEDB) or don't include the user ID
> and password in the DSN.
>
> You can also use integrated Windows security w/SQL Server so that no user ID or password is supplied
> when the user connects.
>
>
> Paul
> ~~~~
> Microsoft MVP (Visual Basic)
>
Author
21 Sep 2005 7:24 PM
Paul Clement
On Wed, 21 Sep 2005 12:05:03 -0700, "Rick" <R***@discussions.microsoft.com> wrote:

¤ The DSN conexion uses Windows NT Autentication, so passwords are not
¤ included. On the other hand, some computers(old Windows style) don`t accept
¤ DSN-less conections, I have had some problems with this.

Well a DSN that contains pass through authentication is evil from a security perspective. As long as
someone can access a users machine you're vulnerable.

DSN-less connections are supported via OLEDB. I'm not sure why you would have issues with older
versions of Windows (unless they're 3.1).


Paul
~~~~
Microsoft MVP (Visual Basic)
Author
21 Sep 2005 7:06 PM
Ralph
Show quote Hide quote
"Rick" <R***@discussions.microsoft.com> wrote in message
news:7517C876-9877-45EB-BD05-616BAAA303FA@microsoft.com...
> Suppose I have an appliation made in VB6 which connects to SQL2000.
> The applications creates a DSN(old style) to connecto to the server.
> The user has a login an a password to use the application. The server
> validades Windows NT login.
>
> Every effort had been made to protect the database from intruders.
> So far so good...
>
> Next day, comes Clarck Kent and connects to the server simply by using the
DSN
> and Excel 2000!!! He can browse, update and delete files!!!
>
> How can I avoid such intruder.
>
> Thank you...    waitng for replies...
>
> --
> Rick
>

You can't.

If you set up full use of your database using the authentication and
authorization thru a Windows Login - then anyone who can log in to Windows
can access the database. The DSN/Excel/<insert any tool here> is just a
smoke screen. (It is just as easy for an unscrupulous visitor to bring in
his own tool - floppy, usb memory stick, a little hexeditor typing, etc.)

You have to invoke SQLServer Security - not so much keeping them out - but
as to what they can do once they're there.

In this day and age - attempting to secure a resource thru an 'Application'
is doomed for failure. You must invoke outside full system security and/or
the security services of the resource itself.

hth
-ralph
Author
21 Sep 2005 8:04 PM
Rick
Wow! and everybody is watching all this gossip...


Thanks!
--
Rick


Show quoteHide quote
"Ralph" wrote:

>
> "Rick" <R***@discussions.microsoft.com> wrote in message
> news:7517C876-9877-45EB-BD05-616BAAA303FA@microsoft.com...
> > Suppose I have an appliation made in VB6 which connects to SQL2000.
> > The applications creates a DSN(old style) to connecto to the server.
> > The user has a login an a password to use the application. The server
> > validades Windows NT login.
> >
> > Every effort had been made to protect the database from intruders.
> > So far so good...
> >
> > Next day, comes Clarck Kent and connects to the server simply by using the
> DSN
> > and Excel 2000!!! He can browse, update and delete files!!!
> >
> > How can I avoid such intruder.
> >
> > Thank you...    waitng for replies...
> >
> > --
> > Rick
> >
>
> You can't.
>
> If you set up full use of your database using the authentication and
> authorization thru a Windows Login - then anyone who can log in to Windows
> can access the database. The DSN/Excel/<insert any tool here> is just a
> smoke screen. (It is just as easy for an unscrupulous visitor to bring in
> his own tool - floppy, usb memory stick, a little hexeditor typing, etc.)
>
> You have to invoke SQLServer Security - not so much keeping them out - but
> as to what they can do once they're there.
>
> In this day and age - attempting to secure a resource thru an 'Application'
> is doomed for failure. You must invoke outside full system security and/or
> the security services of the resource itself.
>
> hth
> -ralph
>
>
>
Author
22 Sep 2005 9:20 AM
Tony Spratt
Show quote Hide quote
"Rick" <R***@discussions.microsoft.com> wrote in message
news:7517C876-9877-45EB-BD05-616BAAA303FA@microsoft.com...
> Suppose I have an appliation made in VB6 which connects to SQL2000.
> The applications creates a DSN(old style) to connecto to the server.
> The user has a login an a password to use the application. The server
> validades Windows NT login.
>
> Every effort had been made to protect the database from intruders.
> So far so good...
>
> Next day, comes Clarck Kent and connects to the server simply by using the
DSN
> and Excel 2000!!! He can browse, update and delete files!!!
>
> How can I avoid such intruder.
>
> Thank you...    waitng for replies...
>
> --
> Rick

If you want to use Windows authentication on a SQL database, it's generally
best to give the users read-only access to the data and give update access
to triggers and stored procedures only. This won't save you completely,
admittedly, especially from a skilled or determined attacker, but it's a
start and can be backed up with extra layers of obfuscation. This approach
will, at the very least, prevent accidental updates by users.

Cheers,

Tony.



Post Other interesting topics
[VB6] Passing the variable value to the form?
Fluctuation of printer alignment
Database and report question
How can i make sure
msgbox problem
Out of stack space
Help with Looping & Count Please
get users screen resolution
Missing File Export Template in VB.NET
about renaming the table ..