I'm working on a website (asp.net c# with SQL Server) and the client is asking for SSO solution. I'm looking to use one shortest implementation where we can create sub-domains for different modules and install/deploy on same or different servers but all of these module/application uses same SQL Server and session is also maintained and shared by SQL Server. However the client is concerned about the performance/scalability and security therefore I would like your advise if you have already worked on such projects and if you would recommend me this solution or anything else.
thank you in advance for your help !
Keep your single sign on information in LDAP. It's definitely the most standardized way to store user information and access. It's really just a database but if scalability and performance are concerns this is your best bet.
Related
I'm currently looking at metadata solutions for Microsoft SQL Server 2016. I'm interested in using Schemaspy. I think it looks like a great free way to document metadata, but I'm worried that it may not be secure for use in a company with sensitive data.
Question: Is Schemaspy secure to use? Can it be used as a loophole to hack into servers?
Thank you very much in advance!
SchemaSpy is solution that can be used with sensitive and confidential data.
Application code itself is not reading the database data but database structure and metadata from jdbc driver.
SchemaSpy is run as local program and everything what application is generating happen only on your computer and stay there.
In the code base we are not using any external servers or web services in the process of generating and preparing database documentation.
You can look on generated example by SchemaSpy: http://schemaspy.org/sample/index.html
I'm new to databases and It's been almost a month I'm working with databases (mostly with MongoDB which is a NoSQL database and I'm loving it :D)
What I am wondering is the security risks you take when you do a direct access to database from let's say a native iOS app.
I know a popular way to this is web service though.
Thanks,
Peyman
I think there're 2 risks obviously:
sql injection.
How to deal with the db password. Just put the plain text in your
config or connection strings?
+1 on password protection or connection strings. Not to mention that your firewall would have to allow every ip through on your database port. People use web services for a reason...in my opinion, don't even consider this an option
I think this question better fits here rather than ServerFault, but if I'm wrong, please correct me.
I have a system which has a database that also queries Windows Indexing Services. The queries are done via T-SQL using the OpenQuery(Linked_Server_Name, ...) function.
When the DB and the Indexing Services are on the same server, everything works perfectly.
Now I need to scale my system up, which means I'll have to separate the DB server from the Indexing Services server. The problem is, I couldn't find a way to remotely query the Indexing Services.
Did anyone succeed with a similar setup?
If no, what alternatives would you suggest?
I had a similar problem in my company and I googled, that remote indexing is impossible. But we found a solution. Now we have one server with DB and another server with IIS and attachments which are indexed. The solution was to share attachments folder (or maybe whole disc) that DB server could see them. Unfortunatly, I changed position in the company and I don't have permissions anymore to connect to servers to check for configuration, so I can't write what and where exactly must be done.
It really does seem impossible to remote query MSIDXS. I ended up writing a web service that wraps the MSIDXS and is called remotely.
Performance aren't as good, though.
i am preparing for Microsoft exam 70-432 SQL Server 2008 . In the book i read, its highly recommended that you use separate log-in for each SQL Service. But i am unable to understand what is a benefit in using separate USER?
Please let me know if anyone has an idea about this.
Regards,
fayalif
The benefit is that if somehow someone manages to take control of one of the services he will not have access to the other ones.
What Giorgi said and that the different services require different rights.
By using different accounts these individual accounts have as little rights as possible. Combining these accounts by using one account a malicious user could obtain enough rights to do damage.
I have been working on VB6 database desktop programming, but now a client is asking for a
simple web interface (some inserts into SQL Server db used by a desktop application).
The question is: Which approach is better?
1)creating asp.net project, connected directly to the SQL Server database;
2)creating separate (simple) mysql database managed by php and synchronization (in 15 minutes for example)
Thanks.
Personally since you already have the SQL Server database, I see no reason whatsoever to add the complexity of another database and then synchonization. The first alternative is simpler to create and can be secure if you design it correctly. The issue about hosting is irrelevant since you are going to your own database that already exists, so is the issue about cost since the databse is already there. Further since you are already supporting SQL Server, you may be able to reuse some code rather than write new code (mysql's version of SQL is not the same as SQl Server's version). Synching the two databases may be more complex than you think (differnt data types, etc.) and the data in the real database is not real-time whereas with the first alternative it is.
I'd prefer the separate database approach.
It's more secure.
PHP/Mysql hosting is widespread
You can pretty much achieve anything with the technologies available, it just depends on your skill and productivity with specific technologies and the availability of online help. Plus Microsoft stuff you tend to have to pay for whereas PHP/MySQL is totally free.