2

I'd have to implement my own security for the application (windows form).

The application is for internal use (10 users) but security is very important due to sensitive data. (SQL Server 2008 is in the back end, .NET 4.0)

I don't have a login form but I have a connection string in app.config. So I guess that maybe app.config is a good place to implement AD groups? Or borrow asp.net membership provider?

Thanks for advice.

zimdanen
  • 5,508
  • 7
  • 44
  • 89

3 Answers3

1

If you're trying to maintain database permissions, set them on the database and have your application use Integrated Security=True in the connection string. The user will connect as themselves to the database and have whatever permissions the database specifies.

zimdanen
  • 5,508
  • 7
  • 44
  • 89
  • No. Many people can access database but only a few people can access the application. –  May 08 '12 at 18:19
  • So you want to make it harder for the people who don't have access to the application to do whatever the application does? If they have access to the database, they can do it themselves; why lock down the app? – zimdanen May 08 '12 at 18:20
  • It should not matter. If the first thing the application does is it connects to the database, then only these few users will be able to access the application who have rights assigned on the SQL server. This answer sounds like a correct one then. – Wiktor Zychla May 08 '12 at 18:21
  • Do you mean assign roles in SQL Server by AD groups? –  May 08 '12 at 18:27
  • If you want it by group, then grant permissions by group. If you want it by user, then grant permissions by user. But let the database handle database permissions; all your app needs to do is connect up with the user's account. Then you are not unnecessarily in the role of handling permissions. – zimdanen May 08 '12 at 18:28
  • But I don't have login form. How can I connect my app to the user account? I have no experience for it? Any links? –  May 08 '12 at 18:32
  • They are already logged into their laptops through AD, right? All you have to do is have your connection string specify to use their current AD credentials. For example: `` – zimdanen May 08 '12 at 18:33
  • So we can get WindowsIdentity identity = WindowsIdentity.GetCurrent(); WindowsPrincipal principal = new WindowsPrincipal(identity);??? –  May 08 '12 at 18:34
  • If the user is logged into their machine with the AD account, you don't have to do **anything** other than have the `Integrated Security=True` in your connection string. One step. – zimdanen May 08 '12 at 18:39
  • I know. But I want the application pop out an error when the user is not in the given groups. I think that we need code to make a judgement. I may be wrong, but... –  May 08 '12 at 18:41
  • My question is - why? If they have access to perform the functions in the database, they can do it with or without your application, so why limit the application to a specific set of groups? – zimdanen May 08 '12 at 18:46
  • The users are helpdesk guys. They don't know to to code and how to join table at all. They may only have high school education level. I develope the application for them. Database is in the back end. –  May 08 '12 at 18:49
  • 1) That's a bit assumptive. 2) My concern isn't **for whom** you wrote the application; rather, it's for whom you **didn't**. What do you gain by preventing **others** from using your application? Can these **others** write SQL code? – zimdanen May 08 '12 at 18:51
1

Why not just use active directory group membership to control security? Your connection string to the SQL Server database can go in the config file, but you should probably 'encrypt' that before releasing it to clients.

MattN
  • 198
  • 8
  • I mean that suppose that there are only two application groups can access to the application. How? –  May 08 '12 at 18:16
  • I'm not sure I understand your comment. Are you asking how to only allow users in a given AD group permission to access the application? – MattN May 08 '12 at 18:28
0

If you're determined to check the user's AD groups and prevent the application from continuing to run on startup, take a look here.

Community
  • 1
  • 1
zimdanen
  • 5,508
  • 7
  • 44
  • 89