Export (0) Print
Expand All
0 out of 1 rated this helpful - Rate this topic

How Do I Maximize Security When Connecting to a SQL Server Database?

Visual Studio 2005

About SQL Server database access in Crystal Reports

When using Crystal Reports for Visual Studio 2005, a SQL Server database is accessed from either of the following sources:

  • Directly from the report file, using database connectivity information that is stored in the file.

    The embedded Crystal Report Designer configures the database connectivity information when the report is created or modified. The information is automatically passed to the database by the report engine whenever the report is displayed.

  • From Crystal Reports .NET API code.

    The database connectivity information can be reconfigured with code that interacts with the report programmatically at runtime.

Regardless of the source for your reports, the security issue remains the same: how do you protect the database from malicious attacks?

Option 1: Use Windows Authentication with Integrated Security

For maximum security, Microsoft recommends the use of Integrated Security through Windows Authentication. This configuration means a user ID and password string won't be needed in your application.

Note   For instructions on how to configure Windows Authentication using MSDE, see MSDE Installation with Windows or SQL Server Authentication.
For a tutorial that demonstrates how to integrate a Crystal report with Integrated Security into a Web or Windows application, see Logging onto a Secure SQL Server Database Using Integrated Security.

Option 2: Use SQL Server Authentication with a Limited Access Database Account and Possibly Encryption

If you need to use SQL Server Authentication with your database, you will have to take extra steps to achieve effective security.

Never use the system administrator id and password in your code, because this presents a significant security risk. Instead, do the following:

  • Create a limited access database account.
  • Configure this account, so that only the required tables in the database can be accessed.
  • For each table that can be accessed, give permission only to run the SELECT statement.

Microsoft further recommends that you encrypt your user ID and password. For information about how to encrypt your user ID and password, see the Security information in MSDN.

Note   For instructions on how to configure SQL Authentication with MSDE, see MSDE Installation with Windows or SQL Server Authentication.
To learn how to configure a limited access database account, see Security: Creating a Limited Access Database Account.
To complete a tutorial that demonstrates how to integrate a Crystal report using SQL Authentication into a Web or Windows application, see Logging onto a Secure SQL Server Database Using SQL Authentication.

See Also

How Do I Migrate Crystal Reports Projects from Previous Versions? | SDK Fundamentals

Show:
© 2014 Microsoft. All rights reserved.