Database Security - Preventing Disassembly.

[bri189a]

I was reading the "Preventing Disassembly" post and have some questions for those of you doing this for a living. I want to know how these problems are dealt with.

 

If you have a desktop app that talks to a secured database such as access, how are you suppose to connect to it without putting the password to the database in code somewhere...promt the user everytime he wants to log on? Then he knows the database password and your secured database is vulnerable to table design changes making your application useless.

 

If you have a desktop app that talks to a sql server or some other sort of server, your connection string requires a password there too (unless your using windows authentication on the server) which leads to the same problem above; get Entriprise Manager snap in for free from Microsoft and now you can get into the companie's datbase for that program and start corrupting things.

 

Web apps; most people put the connection string in a app key in the web config file; while this file isn't accessible for downloading are there any other sercurity precautions?

 

Thanks!

[Joe Mamma]

Look a the MS whitepaper on SQL Server C2 Secuity.

 

Definitely a good starting point!!!

[neodammer]

you'll never have 100% security on this issue, at least not yet. But like stated in the previous post thats a great start.