We have a .NET 2.0 winforms app that connects to a SQL Server 2005 database using Windows Authentication. All the database modifications are done using stored procedures which are called from the app. This works fine and users are only permitted to do things that their role permits.
我们有一个.NET 2.0 winforms应用程序,它使用Windows身份验证连接到SQL Server 2005数据库。所有数据库修改都是使用从应用程序调用的存储过程完成的。这样可以正常工作,只允许用户执行其角色允许的操作。
However, it has occurred to us that any user with permission to use the app could theoretically fire up MS Access and connect to the database using ODBC and modify any record they wish on the database.
但是,我们发现任何有权使用该应用程序的用户理论上都可以启动MS Access并使用ODBC连接到数据库并修改他们希望在数据库上创建的任何记录。
We have created a Security Group in Active Directory, made this a login in SQL Server and then made this a user in the database with the correct rights to be able to use the app. Other domain users are blocked using db_denydatareader and db_denydatawriter.
我们在Active Directory中创建了一个安全组,使其成为SQL Server中的登录名,然后使其成为数据库中具有能够使用该应用程序的正确权限的用户。使用db_denydatareader和db_denydatawriter阻止其他域用户。
How do we go about locking this down so modifications via Access etc. are not possible, whilst the application still functions correctly from the desktop .NET app?
我们如何解决此问题,因此无法通过Access等进行修改,同时应用程序仍可从桌面.NET应用程序正常运行?
1 个解决方案
#1
3
SQL server allows you to assign execute permissions to individual stored procedures. If all allowed updates are through your stored procedures, add execute permissions to these, and remove data-writer privileges.
SQL Server允许您为各个存储过程分配执行权限。如果所有允许的更新都是通过存储过程进行的,请为这些更新添加执行权限,并删除数据写入程序权限。
#1
3
SQL server allows you to assign execute permissions to individual stored procedures. If all allowed updates are through your stored procedures, add execute permissions to these, and remove data-writer privileges.
SQL Server允许您为各个存储过程分配执行权限。如果所有允许的更新都是通过存储过程进行的,请为这些更新添加执行权限,并删除数据写入程序权限。