dpd


I want to test Application Roles security for our project, I guess it serves the purpose.

But the quesion I have is if a developer who can look at the application code know's the "Password" can he set the password from Query Analyser and get acess to the database.

Thanks!




Re: Usin Application Roles

Raul Garcia - MS


I strongly recommend against hardcoding any password in your application. It only takes the password to be found/disclosed once to compromise the security of your system and all other system using the same application, and it limits your options for password aging.

The only mitigation in the case of approles is that the approle password itself doesnĄ¯t grant access to connect to SQL Server. The attacker would need credentials and access to the database (guest access would be sufficient) before being able to set the approle.

-Raul Garcia

SDE/T

SQL Server Engine







Re: Usin Application Roles

arsonist

hi there

I'm just new here, I have a question that Im surely it's very easy for you to handle, what is the application role and database role I know what is DB Role, but the application role can't can you please help me






Re: Usin Application Roles

Arnie Rowland

Refer to Books Online, Topic: Application Role