Working with Secured Data Sources and Components
Important This document may not represent best practices for current development, links to downloads and other resources may no longer be valid. Current recommended version can be found here. ArchiveDisclaimer

Working with Secured Data Sources and Components 

To write secure ADO.NET code, you have to understand the security mechanisms available in the underlying data store, or database. You also need to consider the security implications of other features or components that your application may contain.

Accessing SQL Server Databases

The credentials used for authentication need to be handled differently based on the type of application. For example, in a Windows Forms application, the user can be prompted to supply authentication information, or the user's Windows credentials can be used. However, a Web application often accesses data using credentials supplied by the application itself rather than by the user. For more information on SQL Server, see SQL Server Books Online.

Topic Description

Connecting and Retrieving Data in ADO.NET

Provides information and additional links for working with data, including Connection, Command, DataReader and DataAdapter objects. The topic also discusses how to obtain schema information from a database.

Using the .NET Framework Data Provider for SQL Server

Describes all aspects of working with the .NET Framework Data Provider for SQL Server.

Accessing SQL Server from a Web Application

Describes authentication options for ASP.NET applications.

ASP.NET Web Site Configuration

Discusses overall configuration issues, including creating and configuring an application services database for SQL Server.

Managing Security

MSDN content describing SQL Server security architecture and how to implement it. Also available in SQL Server Books Online.

SQL Server Security Center

TechNet website providing guidance and procedures for securing your SQL Server databases.

Security Considerations for SQL Server

MSDN content describing SQL Server 2005 security and provides links to additional topics. Also available in SQL Server Books Online.

How to: Enable Encryption Connections to the Database Engine

MSDN content describing how to enable encrypted connections by specifying a certificate for the Database Engine using SQL Server 2005 Configuration Manager. Also available in SQL Server Books Online.

Encrypting Connections to SQL Server

MSDN content describing how to configure Secure Sockets Layer (SSL) encryption in SQL Server 2005. Also available in SQL Server Books Online.

CLR Integration Security

MSDN content describing the security model of the Microsoft SQL Server integration with the .NET Framework common language runtime (CLR). Also available in SQL Server Books Online.

Accessing Jet and Excel Data Sources

Microsoft Access and Microsoft Excel can act as a data store for an ADO.NET application when security requirements are minimal or nonexistent. Their security features are effective for deterrence, but should not be relied upon to do more than discourage meddling by uninformed users. The physical data files for Access and Excel exist on the file system, and must be accessible to all users. This makes them vulnerable to attacks that could result in theft or data loss since the files can be easily copied or altered. When robust security is required, use SQL Server or another server-based database where the physical data files are not readable from the file system.

The following Office Online topics contain information relevant to securing Access and Excel data sources.

Resource Description

Help protect an Access database with user-level security (MDB)

Applies to Access. Provides instructions for implementing user-level security to protect data.

Understanding the role of workgroup information files in Access security

Applies to Access. Explains the role and relationship of the workgroup information file in Access security.

Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 through 2000

Applies to Access. Answers many Access security questions.

Help secure and protect data in Excel

Applies to Excel. Discusses features to keep data secure in Excel, such as password protection and digital certificates.

Troubleshoot security and protection

Applies to Excel. Presents solutions to common problems with security.

Working with Remoting

.NET remoting enables you to build widely distributed applications easily, whether the application components are all on one computer or spread out across the entire world. You can build client applications that use objects in other processes on the same computer or on any other computer that is reachable over its network. You can also use .NET remoting to communicate with other application domains in the same process.

Resource Description

Configuration of Remote Applications

Discusses how to configure remoting applications in order to avoid common problems.

Security in Remoting

Describes authentication and encryption as well as additional security topics relevant to remoting.

Security and Remoting Considerations

Describes security issues with protected objects and application domain crossing.

Retrieving Data from a Web Service

An XML Web service provides data that can be consumed by an ASP.NET application, a Windows Forms application, or another Web service. You need to manage security for the Web service itself as well as security for the client application.

Resource Description

Securing XML Web Services Created Using ASP.NET

Describes the authentication and authorization options available to Web services built using ASP.NET.

Accessing XML Web Services in Managed Code

Describes the process of locating and accessing Web services in managed code.

How to: Connect to Data in a Web Service

Describes how to connect to data returned from a Web service.

Walkthrough: Connecting to Data in a Web Service

Walks you through connecting to data returned from a Web service.

Using Enterprise Services

COM+ contains its own security model which relies on Windows NT accounts and process/thread impersonation. The System.EnterpriseServices namespace provides wrappers that allow .NET applications to integrate managed code with COM+ security services through the ServicedComponent class.

Resource Description

COM+ Role-Based Security and the .NET Framework

Discusses how to integrate managed code with COM+ security services.

Writing Serviced Components

Discusses how to use the classes in the EnterpriseServices namespace to create serviced components.

Interoperating with Unmanaged Code

Working with unmanaged code involves going outside the security perimeter for managed code. Both your code and any code that calls it must have unmanaged code permission (SecurityPermission with the UnmanagedCode flag specified). Unmanaged code can introduce unintended security vulnerabilities into your application. Therefore, you should avoid interoperating with unmanaged code unless it is absolutely necessary.

Resource Description

Unmanaged Code

Provides an overview of security issues for working with unmanaged code.

Interoperating with Unmanaged Code

Provides an overview and links to additional topics describing how to interoperate with unmanaged code.

See Also

© 2016 Microsoft