Is there a way to secure a sql server database which is accessed by a fat client? Meaning: The application communicates directly with the database as it places sql statements itself. That means, the connection string has to be somewhere on the client. Using this connection string (either with winauth or sql server authentication) any user can access the db using some management studio or command line and place different statements to the db than the GUI would let him.
What to do about that? I cannot place another layer between the client and the database as this architecture is fix.
views:
43answers:
3
+1
A:
That is what SQL Server permissions are for.
You can do things like give permissions to a user on a View or Stored Procedure without giving the user permissions to the underlying tables.
You might want to look into Application Roles
Chris Diver
2010-07-28 11:07:31
I cannot create one view per user. So there needs to be some parameter etc. to identify the user (or object). So by access bypassing the software these parameters can be manipulated.
Uwe
2010-07-28 11:28:37
@Uwe You don't have to create a different view per user. You just make sure that the account they (and the application) connects with has limited permissions. Or are you saying that the application needs permissions to objects which it would be a problem if the user could directly access in an uncontrolled way?
Martin Smith
2010-07-28 11:51:30
@Martin Exactly. The User can delete, view and create records based on content in the db itself. I cannot map the permissions of the data to the users. That is what the application logic does.
Uwe
2010-07-28 12:33:08
An application role might be appropriate in this case, i've added some links on my post.
Chris Diver
2010-07-28 13:38:22
@Uwe So wait, the application logic for permissions is controlled by the client? Did you really just say that...
Rook
2010-07-28 15:59:37
@Uwe - doesn't matter if the database specifies the permissions or not, you still only allow the user to call SPs, and do nothing on the table. At least then you have some level of control.
ck
2010-07-28 16:09:16
A:
First and foremost the whole point of a SQL Injection vulnerability is that the attacker is able to manipulate queries. This purposed protocol is an even worse vulnerability. But not only that this is also a clear violation of CWE-602: Client-Side Enforcement of Server-Side Security and CWE-603: Use of Client-Side Authentication.
In order to make this secure you must do the following:
Each user must also have their own locked down database. As in they only have select/update/delete/insert and no other privileges (especially not xp_cmdshell()!!!!). You cannot allow users share a database, or an attacker will be able to view other users information. An attacker will always be able to obtain the username/password for the sql server and be able to connect directly with his own client. Its hard to think of this relationship as being secure, in almost all cases this is massive vulnerability.
In all reality this is a very serious architectural flaw and you must build a server side component that builds quires for the client. This is usually done with SOAP (wcf for ms platforms).
Rook
2010-07-28 15:57:15
Sorry, I don't get that? How should I split up my customer database for each of my staff (example)? They need to access the same data, but regulated by the permissions they get (read customer A completely but don't read invoices from customer B)
Uwe
2010-07-29 06:51:05
@Uwe oah sorry i didn't know that. Then there is absolutely no doubt in my mind that this is absolutely impossible to secure due to very serious architectural flaws. You must impermanent an intermediary, like a SOAP service, to build quires for. Also keep in mind that an attacker will be able to access the SOAP service without your client, so you cannot implement a client side security system. This is the very basics of security, you can never trust the client (PERIOD).
Rook
2010-07-29 14:54:29
+1
A:
In all security models, including Windows and SQL Authentication, access rights are granted to an user (an identity), not to an application. therefore, any access right needed by the application must be granted to the user running the application. When Windows authentication is used this means that the same user can leverage all the privileges needed by the application himself, from an SSMS query. This is a fundamental rule any administrator must understand. From a security point of view (meaning things like CC compliance and such) this is a fact and any attempt to circumvent it is doomed.
But from a practical point of view, there are certain measures that can be deployed. The most commonly used one is to use a logon trigger that validates the APP_NAME() and allows access for SSMS only from a well defined set of client workstations, and for a well defined set of users.
CREATE TRIGGER reject_SSMS
ON ALL SERVER WITH EXECUTE AS '...'
FOR LOGON
AS
BEGIN
IF (APP_NAME() = 'Microsoft SQL Server Management Studio'
OR APP_NAME() = 'Microsoft SQL Server Management Studio - Query')
AND (ORIGINAL_LOGIN() NOT IN (...)
OR HOST_NAME() NOT IN (...))
ROLLBACK;
END;
What is important to understand that such mechanisms are NOT security features, as they can be easily circumvented by a malevolent user. They are more like door locks: they don't keep thieves out, they keep honest users honest.
Remus Rusanu
2010-07-28 16:10:05
+1 your right, but you know this has a security tag and you didn't really provide a security solution. As in I **REALLY HOPE** the OP doesn't implement this...
Rook
2010-07-28 18:59:01