SQL Server integrated security without SQL Server Management Studio
https://stackoverflow.com//questions/11662676
-
11-12-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I am using integrated security in an ASP.net application, the IIS and SQL Server are both hosted on the same server machine running Windows Server 2008 R2.
Is it possible to allow users to access the application from across the network AND logged in users but not let them access the database directly or via SQL Server Management Studio?
I am trying to safeguard the database access because my application is going to be deployed on the client's server at client's premises.
Here is my connection string that i am currently using
<add connectionString="Server=.\sqlexpress;Database=DB89akwA;Integrated Security=true" name="LocalSqlServer" providerName="System.Data.SqlClient" />
<add connectionString="Server=.\sqlexpress;Database=DB89akwA;Integrated Security=true" name="MainAppConnectionString" providerName="System.Data.SqlClient" />
These are the two connection strings i am currently using, one is for ASP.net Authentication and second is used by my application. These both strings are the same and of the same database.
Any suggestions?
Solution
It is not possible to 'secure' a database running on client's premises. The client's staff can get the password from the ASP.Net connection string. A domain administrator can always gain access to the database (there is an actual MSDN article describing the process: Connect to SQL Server When System Administrators Are Locked Out).
If you want to hide the Intelectual Property you feel your database has, then your only solution is to not deploy the database on the client premise (use a hosted database like SQL Azure for instance).
If you simply want to prevent the client from interfering with the database you can stipulate so in the contract. Auditing and detecting interference is possible.
OTHER TIPS
Yes, that is completely possible. A Person logged in to ASP.NET using integrated security can not log in to SQL Server with the same credentials. Both are completely disconnected. It is only possible if the SQL Server has been set to allow them access.
My Piece of advice would be to create SQL Login and users, and only give them access to SQL Server. In your application, when you create the Connection String, do not set integrated security to true, and just let the user enter his Sql username and password to access the database.
