asp.netsql-server-2008securityweb-configintegrated-security

SQL Server integrated security without SQL Server Management Studio


I am using integrated security in an ASP.net application, the IIS and SQL Server are both hosted on the same server machine running Windows Server 2008 R2.

Is it possible to allow users to access the application from across the network AND logged in users but not let them access the database directly or via SQL Server Management Studio?

I am trying to safeguard the database access because my application is going to be deployed on the client's server at client's premises.

Here is my connection string that i am currently using

<add connectionString="Server=.\sqlexpress;Database=DB89akwA;Integrated Security=true" name="LocalSqlServer" providerName="System.Data.SqlClient" />

<add connectionString="Server=.\sqlexpress;Database=DB89akwA;Integrated Security=true" name="MainAppConnectionString" providerName="System.Data.SqlClient" />

These are the two connection strings i am currently using, one is for ASP.net Authentication and second is used by my application. These both strings are the same and of the same database.

Any suggestions?


Solution

  • It is not possible to 'secure' a database running on client's premises. The client's staff can get the password from the ASP.Net connection string. A domain administrator can always gain access to the database (there is an actual MSDN article describing the process: Connect to SQL Server When System Administrators Are Locked Out).

    If you want to hide the Intelectual Property you feel your database has, then your only solution is to not deploy the database on the client premise (use a hosted database like SQL Azure for instance).

    If you simply want to prevent the client from interfering with the database you can stipulate so in the contract. Auditing and detecting interference is possible.