Protecting application

T

The One Who Was

Regular
Joined
Jun 2, 2003
Messages
52
Location
Manitoba Canada
Greetings:

I'm building a remote application that will verify with our server prior to running. The database it's verifying against is a SQL server. So I've opened the port required to establish the connection.

Now, my concern is, how easy would it be for someone to retrieve my connection string? Is the string encrypted at all? Can my .net application be reverse engineered and have my connection string compromised? Is there any way to beef up the security on this if it is a concern?

Also, what kind of security measures should I take on the server side? I've assigned the SA account a strong password, and I’ve installed all the latest service packs I could find. I've even had our firewall accept SQL connections on a different port. Just curious if there is anything else I could look into.

This application is not a mission critical project, but just the same, I do not want anyone to have access to my connection string.
 
Ok, I've done some research and...

I've discovered .net applications are easily disassembled and the connection string that I've programmatically entered is not safe.

There are applications that can skew the IL code making it harder to decompile, as well as encrypt string values in your application making them harder to discover, but they are still not safe from prying eyes.

So what I've decided to do is to create a server side service that will run the SQL login verification on the server, and send a response back to the users application. This will keep my password away from prying fingers and allow me to only run the queries and stored procs that I want. It "should" keep my SQL instance safe because I could then close the SQL port I have open to the WWW.

However, this is going to take me a while to figure out since I've never made any application like this before.

If anyone could help point me in the right direction (links, examples, reading materials ect...) I'd greatly appreciate it. I'd imagine the sockets class is going to be required.

Thank you all very much.
 
Back
Top