How Do I Maximize Security When Connecting to a SQL Server Database?
About SQL Server database access in Crystal Reports
When using Crystal Reports for Visual Studio 2005, a SQL Server database is accessed from either of the following sources:
- Directly from the report file, using database connectivity information that is stored in the file.
The embedded Crystal Report Designer configures the database connectivity information when the report is created or modified. The information is automatically passed to the database by the report engine whenever the report is displayed.
- From Crystal Reports .NET API code.
The database connectivity information can be reconfigured with code that interacts with the report programmatically at runtime.
Regardless of the source for your reports, the security issue remains the same: how do you protect the database from malicious attacks?
Option 1: Use Windows Authentication with Integrated Security
For maximum security, Microsoft recommends the use of Integrated Security through Windows Authentication. This configuration means a user ID and password string won't be needed in your application.
Note For instructions on how to configure Windows Authentication using MSDE, see MSDE Installation with Windows or SQL Server Authentication.
For a tutorial that demonstrates how to integrate a Crystal report with Integrated Security into a Web or Windows application, see Logging onto a Secure SQL Server Database Using Integrated Security.
Option 2: Use SQL Server Authentication with a Limited Access Database Account and Possibly Encryption
If you need to use SQL Server Authentication with your database, you will have to take extra steps to achieve effective security.
Never use the system administrator id and password in your code, because this presents a significant security risk. Instead, do the following:
- Create a limited access database account.
- Configure this account, so that only the required tables in the database can be accessed.
- For each table that can be accessed, give permission only to run the SELECT statement.
Microsoft further recommends that you encrypt your user ID and password. For information about how to encrypt your user ID and password, see the Security information in MSDN.
Note For instructions on how to configure SQL Authentication with MSDE, see MSDE Installation with Windows or SQL Server Authentication.
To learn how to configure a limited access database account, see Security: Creating a Limited Access Database Account.
To complete a tutorial that demonstrates how to integrate a Crystal report using SQL Authentication into a Web or Windows application, see Logging onto a Secure SQL Server Database Using SQL Authentication.