Web Application Security

TheMSsForum.com: The Microsoft Software Forum

Hi,
We are developing a web application with .NET. I have read some articles
from microsoft, but I am still unclear about how to go about ensuring
security.
1) Do we have to have Database Roles mapped to Database user's to ensure
security?
* if we had one admin account to a specific database and then validated
users from application level security would it be a bad idea?

2) How can we do row level tracking?
i.e: Say we have Table A that can accessed from user A & User B. But User A
can access all records on that while user B can access some records. How do
we achieve that? We figured we need to maintain a Access Matrix table in the
DB.
For example, say like Table A row 3 can be accessed by emp id 1 &2 and
say like Table B row 4 can be accessed by emp id 1.
But this really increases complexity and might bring down performance and
maintainablity as such.

3) If we do role based (i.e: RoleA-> Can access TableA,TableB RoleB->can
access TableC,TableD and there is user1 with ROLEA and user2 with ROLEB) from
sql server how should we map this to the application. Should the application,
pass user name and password and assume that identity, then when a DB call
failed throw back a forrmatted exception to the user. But, then in this
instance application doesn't know pre hand that information. ( I Assume that
there is no way without an admin password applicatioin can query and get user
name/password from SQL server).
So how should we go about it?

Thanks in advance.
Top

Re: Web Application Security by Karl

Karl
Sat Sep 18 06:42:54 CDT 2004

This doesn't directly answer your question, but may be useful anyways:

www.sqlsecurity.com
www.owasp.org
www.microsoft.com/technet/security

You might get much better answers asking these questions in a newsgroup for
your specific product, e.g. .NET and presumably SQL. I think more
programmers tend to hang out in those newsgroups.

You also might need info from books due to the depth and complexity of the
topic. Secure Coding from MS Press, and books like Hacking Web Apps Exposed
or the similar Stuart McClure book are probably recommended.


"Nipz" <Nipz@discussions.microsoft.com> wrote in message
news:230721C6-B2C8-40C2-B134-005DA074E67C@microsoft.com...
> Hi,
> We are developing a web application with .NET. I have read some articles
> from microsoft, but I am still unclear about how to go about ensuring
> security.
> 1) Do we have to have Database Roles mapped to Database user's to ensure
> security?
> * if we had one admin account to a specific database and then validated
> users from application level security would it be a bad idea?
>
> 2) How can we do row level tracking?
> i.e: Say we have Table A that can accessed from user A & User B. But User
A
> can access all records on that while user B can access some records. How
do
> we achieve that? We figured we need to maintain a Access Matrix table in
the
> DB.
> For example, say like Table A row 3 can be accessed by emp id 1 &2 and
> say like Table B row 4 can be accessed by emp id 1.
> But this really increases complexity and might bring down performance and
> maintainablity as such.
>
> 3) If we do role based (i.e: RoleA-> Can access TableA,TableB RoleB->can
> access TableC,TableD and there is user1 with ROLEA and user2 with ROLEB)
from
> sql server how should we map this to the application. Should the
application,
> pass user name and password and assume that identity, then when a DB call
> failed throw back a forrmatted exception to the user. But, then in this
> instance application doesn't know pre hand that information. ( I Assume
that
> there is no way without an admin password applicatioin can query and get
user
> name/password from SQL server).
> So how should we go about it?
>
> Thanks in advance.
>
>


Top

Re: Web Application Security by jeff

jeff
Sat Sep 18 23:13:57 CDT 2004

On Sat, 18 Sep 2004 01:15:02 -0700, "Nipz"
<Nipz@discussions.microsoft.com> wrote:

>Hi,
>We are developing a web application with .NET. I have read some articles
>from microsoft, but I am still unclear about how to go about ensuring
>security.
>1) Do we have to have Database Roles mapped to Database user's to ensure
>security?

That's one way, but not the only way.

>* if we had one admin account to a specific database and then validated
>users from application level security would it be a bad idea?

Not necessarily, but it provides a single security block instead of
multiple levels.

>2) How can we do row level tracking?
>i.e: Say we have Table A that can accessed from user A & User B. But User A
>can access all records on that while user B can access some records. How do
>we achieve that? We figured we need to maintain a Access Matrix table in the
>DB.
>For example, say like Table A row 3 can be accessed by emp id 1 &2 and
>say like Table B row 4 can be accessed by emp id 1.
>But this really increases complexity and might bring down performance and
>maintainablity as such.

Ask in the group related to your database.

>3) If we do role based (i.e: RoleA-> Can access TableA,TableB RoleB->can
>access TableC,TableD and there is user1 with ROLEA and user2 with ROLEB) from
>sql server how should we map this to the application. Should the application,
>pass user name and password and assume that identity, then when a DB call
>failed throw back a forrmatted exception to the user. But, then in this
>instance application doesn't know pre hand that information. ( I Assume that
>there is no way without an admin password applicatioin can query and get user
>name/password from SQL server).
>So how should we go about it?

Well, first you should try the SQL and .NET groups for answers, not a
general security group. Second, you may be over thinking this, the
security available in Windows and SQL should cover all your bases
pretty seamlessly.

Jeff
Top