0

I have created Winforms application which stores some sensitive data like username and password. The system used by many users. I am using SQL Server Express for storing data.

The application downloads data from a remote server by sync framework. I want to create only one user for that database so I can sync that database.

My problem is that I want to hide the database from all users which are using the application and also from the sa & Windows authentication accounts. So no one can see the other usernames or passwords.

How can I do this?

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user2634551
  • 71
  • 1
  • 1
  • 4
  • 2
    I'm **hoping** you're not storing those passwords **in clear TEXT**, now are you?? – marc_s Nov 30 '13 at 14:52
  • You can hide passwords by simply not storing the passwords. Starting point > http://stackoverflow.com/questions/1054022/best-way-to-store-password-in-database – Bogdan Sahlean Nov 30 '13 at 15:09
  • yes,I haven't option for that. because in sync Framework 2.1(using sync database) there is no option for data encryption. – user2634551 Nov 30 '13 at 15:10

1 Answers1

0

If I understand well, be best way to do it is :

  1. keep one administrative login (one login that is member of sysadmin). It will be you. You need at least one admin.
  2. disable sa : ALTER LOGIN [sa] DISABLE;
  3. for all other logins, add them as users in the database, but don't give them any permission. They won't be able to see anything
  4. use an application role (which is deprecated) OR create a user without login and use EXECUTE AS (which is the new way to go): you can learn more about it here : http://msdn.microsoft.com/en-us/library/bb669062(v=vs.110).aspx and http://msdn.microsoft.com/en-us/library/bb669087(v=vs.110).aspx. That will allow you to set other permissions for your users only when the conect through the application.
rudi bruchez
  • 624
  • 3
  • 10