"Martin" wrote:

> Hi all,
>
> We have an administrative application that we are considering to rewrite in
> aspx with vb2005. I think the marketing possibilities are enourmous.
>
> In our standard app, the user logs in by entering his/her user name and
> password. In the online version that would be Client ID / user ID /
> Password. So far so good. But I'm just wondering... how secure is this? I
> guess not very. Every disgruntled employee can go online at home enter their
> name and password and do whatever they like.
>
> Now for clients with a fixed IP address I can check the IP-address as a part
> of the authentication. But what if my client has a dynamic IP-address?
>
> I would love to hear your thoughts on this matter,
>
> Thanks,
> Martin
>
>
>

"M. Posseth" <MPoss***@discussions.microsoft.com> schrieb im Newsbeitrag
news:0A9946BE-51DF-4FA7-BE3A-1D0429470EA4@microsoft.com...
> Username and password in combination with forms authentication or windows
> authentication should be secure enough
>
> if you use forms Authentication and use a DB as storage use parameterized
> query`s or SP`s to protecet against SQL injection
>
> About the employe that abuses his account ,,, it should be clear that
> anyone
> who has the keys to your house can steall everything what is inside ,
> however
> if you arrive at your home and everything is gone without anny traces of
> burglary
> it would sure limit the amount of suspects .
>
> regards
>
> michel
>
>
>
>
> "Martin" wrote:
>
>> Hi all,
>>
>> We have an administrative application that we are considering to rewrite
>> in
>> aspx with vb2005. I think the marketing possibilities are enourmous.
>>
>> In our standard app, the user logs in by entering his/her user name and
>> password. In the online version that would be Client ID / user ID /
>> Password. So far so good. But I'm just wondering... how secure is this? I
>> guess not very. Every disgruntled employee can go online at home enter
>> their
>> name and password and do whatever they like.
>>
>> Now for clients with a fixed IP address I can check the IP-address as a
>> part
>> of the authentication. But what if my client has a dynamic IP-address?
>>
>> I would love to hear your thoughts on this matter,
>>
>> Thanks,
>> Martin
>>
>>
>>

"Martin" <x@y.com> wrote in message
news:uqu9E8XfGHA.2188@TK2MSFTNGP04.phx.gbl...
> Hi Michel,
>
> Thanks for your reply. You got a good point there. Besides we will log all
> usage including IP address for audit and billing purposes, so if it is an
> "inside job" we'd know the culprit.
>
> The thing that worries me somewhat is outsiders (hackers). I know you can
> scramble the password in the database, but still.... You hear of people
> breaking in into the CIA system, and I bet those guys know a lot more
> about security than I do.
>
> The system will store sensitive medical and personal info of patients as
> well as financial data of hospitals.
>
> I hear SP's are a good way of protecting a database, but frankly I don't
> understand how. A stored procedure can be called by anyone with access to
> the database right? And the database will still be open to regular
> queries, or am I seeing that wrong?

>| Hi all,
>|
>| We have an administrative application that we are considering to rewrite in
>| aspx with vb2005. I think the marketing possibilities are enourmous.
>|
>| In our standard app, the user logs in by entering his/her user name and
>| password. In the online version that would be Client ID / user ID /
>| Password. So far so good. But I'm just wondering... how secure is this? I
>| guess not very. Every disgruntled employee can go online at home enter their
>| name and password and do whatever they like.
>|
>| Now for clients with a fixed IP address I can check the IP-address as a part
>| of the authentication. But what if my client has a dynamic IP-address?
>|
>| I would love to hear your thoughts on this matter,

> You might want to re-think this process.
> I would be thinking - who do I want to allow on the system and what
> rights would I give them. What information do I know for certain and
> can control?
>
> The only IP addresses that you know, and can control, are the
> workplace ones. Thus, people who login from the workplace are given
> full access.
>
> Anyone logging in from outside (any other IP address) would only be
> given readonly/minimal update priveleges.
>
> You can have a look at Authentication and Roles as used in the
> web.config file.

"Herfried K. Wagner [MVP]" <hirf-spam-me-here@gmx.at> schrieb im Newsbeitrag
news:e6g7qFYfGHA.3364@TK2MSFTNGP05.phx.gbl...
> "Martin" <x@y.com> schrieb:
>> We have an administrative application that we are considering to rewrite
>> in aspx with vb2005. I think the marketing possibilities are enourmous.
>>
>> In our standard app, the user logs in by entering his/her user name and
>> password. In the online version that would be Client ID / user ID /
>> Password. So far so good. But I'm just wondering... how secure is this? I
>> guess not very. Every disgruntled employee can go online at home enter
>> their name and password and do whatever they like.
>
> HTTPS + username + password should be secure enough in most cases.
> However, do not store the passwords in plain text on the server.  Instead,
> store a salted hash in the users table.
>
> --
> M S   Herfried K. Wagner
> M V P  <URL:http://dotnet.mvps.org/>
> V B   <URL:http://classicvb.org/petition/>

"james" wrote:

>
> "Martin" <x@y.com> wrote in message
> news:ukFrMMYfGHA.2032@TK2MSFTNGP02.phx.gbl...
> > Hi Herfried,
> >
> > Thank you for your response. I've read in the VB documentation about
> > storing the passwords hashed. But salted? I haven't heard of that flavour.
> >
> > Do you have any suggestions where I can read more about https?
> >
>
> Salt is the encryption "key" used to encrypt the hash. So if you make this
> complex too, it is more secure.
>
> A different "salt" will give a different encrypted string....
>
>
>

>Hi all,
>
>We have an administrative application that we are considering to rewrite in
>aspx with vb2005. I think the marketing possibilities are enourmous.
>
>In our standard app, the user logs in by entering his/her user name and
>password. In the online version that would be Client ID / user ID /
>Password. So far so good. But I'm just wondering... how secure is this? I
>guess not very. Every disgruntled employee can go online at home enter their
>name and password and do whatever they like.
>
>Now for clients with a fixed IP address I can check the IP-address as a part
>of the authentication. But what if my client has a dynamic IP-address?
>
>I would love to hear your thoughts on this matter,
>
>Thanks,
>Martin
>
>
> 
>

"Martin" wrote:

> Hi all,
>
> We have an administrative application that we are considering to rewrite in
> aspx with vb2005. I think the marketing possibilities are enourmous.
>
> In our standard app, the user logs in by entering his/her user name and
> password. In the online version that would be Client ID / user ID /
> Password. So far so good. But I'm just wondering... how secure is this? I
> guess not very. Every disgruntled employee can go online at home enter their
> name and password and do whatever they like.
>
> Now for clients with a fixed IP address I can check the IP-address as a part
> of the authentication. But what if my client has a dynamic IP-address?
>
> I would love to hear your thoughts on this matter,
>
> Thanks,
> Martin
>
>
>

"Martin" <x@y.com> wrote in message
news:OMy2lMXfGHA.764@TK2MSFTNGP03.phx.gbl...
> Hi all,
>
> We have an administrative application that we are considering to rewrite
> in aspx with vb2005. I think the marketing possibilities are enourmous.
>
> In our standard app, the user logs in by entering his/her user name and
> password. In the online version that would be Client ID / user ID /
> Password. So far so good. But I'm just wondering... how secure is this? I
> guess not very. Every disgruntled employee can go online at home enter
> their name and password and do whatever they like.
>
> Now for clients with a fixed IP address I can check the IP-address as a
> part of the authentication. But what if my client has a dynamic
> IP-address?
>
> I would love to hear your thoughts on this matter,
>
> Thanks,
> Martin
>

"Martin" <x@y.com> schrieb im Newsbeitrag
news:OMy2lMXfGHA.764@TK2MSFTNGP03.phx.gbl...
> Hi all,
>
> We have an administrative application that we are considering to rewrite
> in aspx with vb2005. I think the marketing possibilities are enourmous.
>
> In our standard app, the user logs in by entering his/her user name and
> password. In the online version that would be Client ID / user ID /
> Password. So far so good. But I'm just wondering... how secure is this? I
> guess not very. Every disgruntled employee can go online at home enter
> their name and password and do whatever they like.
>
> Now for clients with a fixed IP address I can check the IP-address as a
> part of the authentication. But what if my client has a dynamic
> IP-address?
>
> I would love to hear your thoughts on this matter,
>
> Thanks,
> Martin
>

"Martin" <x@y.com> schreef in bericht
news:#UoJ$otfGHA.764@TK2MSFTNGP05.phx.gbl...
> Thanks everybody for your helpful contributuons to this discussion.
>
> I have a few (maybe stupid) questions... What is that SQL Injection thingy
I
> keep hearing about, and does anyone know a site where i could learn about
> HTTPS?
>
> Tia,
> Martin
>
> "Martin" <x@y.com> schrieb im Newsbeitrag
> news:OMy2lMXfGHA.764@TK2MSFTNGP03.phx.gbl...
> > Hi all,
> >
> > We have an administrative application that we are considering to rewrite
> > in aspx with vb2005. I think the marketing possibilities are enourmous.
> >
> > In our standard app, the user logs in by entering his/her user name and
> > password. In the online version that would be Client ID / user ID /
> > Password. So far so good. But I'm just wondering... how secure is this?
I
> > guess not very. Every disgruntled employee can go online at home enter
> > their name and password and do whatever they like.
> >
> > Now for clients with a fixed IP address I can check the IP-address as a
> > part of the authentication. But what if my client has a dynamic
> > IP-address?
> >
> > I would love to hear your thoughts on this matter,
> >
> > Thanks,
> > Martin
> >
>
>

"Peter Proost" <pproost@nospam.hotmail.com> schreef in bericht
news:etxV1lvfGHA.4976@TK2MSFTNGP02.phx.gbl...
> http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
>
> http://en.wikipedia.org/wiki/HTTPS
>
> Hope this helps
>
> --
> Programming today is a race between software engineers striving to build
> bigger and better idiot-proof programs, and the Universe trying to produce
> bigger and better idiots. So far, the Universe is winning. (Rich Cook)
>
> "Martin" <x@y.com> schreef in bericht
> news:#UoJ$otfGHA.764@TK2MSFTNGP05.phx.gbl...
>> Thanks everybody for your helpful contributuons to this discussion.
>>
>> I have a few (maybe stupid) questions... What is that SQL Injection
>> thingy
> I
>> keep hearing about, and does anyone know a site where i could learn about
>> HTTPS?
>>
>> Tia,
>> Martin
>>
>> "Martin" <x@y.com> schrieb im Newsbeitrag
>> news:OMy2lMXfGHA.764@TK2MSFTNGP03.phx.gbl...
>> > Hi all,
>> >
>> > We have an administrative application that we are considering to
>> > rewrite
>> > in aspx with vb2005. I think the marketing possibilities are enourmous.
>> >
>> > In our standard app, the user logs in by entering his/her user name and
>> > password. In the online version that would be Client ID / user ID /
>> > Password. So far so good. But I'm just wondering... how secure is this?
> I
>> > guess not very. Every disgruntled employee can go online at home enter
>> > their name and password and do whatever they like.
>> >
>> > Now for clients with a fixed IP address I can check the IP-address as a
>> > part of the authentication. But what if my client has a dynamic
>> > IP-address?
>> >
>> > I would love to hear your thoughts on this matter,
>> >
>> > Thanks,
>> > Martin
>> >
>>
>>
>
>

"Cor Ligthert [MVP]" <notmyfirstn***@planet.nl> schreef in bericht
news:uwlaN7wfGHA.4276@TK2MSFTNGP03.phx.gbl...
> Peter,
>
> The page you show is in my idea one of the worst pages on MSDN. It is a
kind
> of hacker manual, while the given samples don't secure any hack.
>
> If you want to secure hacking with SQL server than you need to do that in
> your SQL server part where by instance not any part of the data is direct
> readable by somebody else than the Admin, and the Stored procedures will
> have the authorisations who may use those procedure by procedure. But the
> first part for  hacking (as it is as well in this article) is that you
need
> the userID and the passwords who gives you the right to connect to the SQL
> server or whatever. I probably don't have to give you than the code how to
> access a bad managed SQL server a SP alone does than nothing to prevent
> that.
>
> AFAIK had the SQL injection something to do with a bug in SQL 2000 server,
> where I have never read what it was. SP3 from SQL 2000 server should be to
> correct that bug.
>
> Just a little addition,
>
> Cor
>
> "Peter Proost" <pproost@nospam.hotmail.com> schreef in bericht
> news:etxV1lvfGHA.4976@TK2MSFTNGP02.phx.gbl...
> > http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
> >
> > http://en.wikipedia.org/wiki/HTTPS
> >
> > Hope this helps
> >
> > --
> > Programming today is a race between software engineers striving to build
> > bigger and better idiot-proof programs, and the Universe trying to
produce
> > bigger and better idiots. So far, the Universe is winning. (Rich Cook)
> >
> > "Martin" <x@y.com> schreef in bericht
> > news:#UoJ$otfGHA.764@TK2MSFTNGP05.phx.gbl...
> >> Thanks everybody for your helpful contributuons to this discussion.
> >>
> >> I have a few (maybe stupid) questions... What is that SQL Injection
> >> thingy
> > I
> >> keep hearing about, and does anyone know a site where i could learn
about
> >> HTTPS?
> >>
> >> Tia,
> >> Martin
> >>
> >> "Martin" <x@y.com> schrieb im Newsbeitrag
> >> news:OMy2lMXfGHA.764@TK2MSFTNGP03.phx.gbl...
> >> > Hi all,
> >> >
> >> > We have an administrative application that we are considering to
> >> > rewrite
> >> > in aspx with vb2005. I think the marketing possibilities are
enourmous.
> >> >
> >> > In our standard app, the user logs in by entering his/her user name
and
> >> > password. In the online version that would be Client ID / user ID /
> >> > Password. So far so good. But I'm just wondering... how secure is
this?
> > I
> >> > guess not very. Every disgruntled employee can go online at home
enter
> >> > their name and password and do whatever they like.
> >> >
> >> > Now for clients with a fixed IP address I can check the IP-address as
a
> >> > part of the authentication. But what if my client has a dynamic
> >> > IP-address?
> >> >
> >> > I would love to hear your thoughts on this matter,
> >> >
> >> > Thanks,
> >> > Martin
> >> >
> >>
> >>
> >
> >
>
>

"Peter Proost" <pproost@nospam.hotmail.com> wrote in message
news:uXzIfjxfGHA.5104@TK2MSFTNGP04.phx.gbl...
> Cor,
>
> ACK, but it does explain what SQL injections are ;-)
>
> Greetz Peter
>
> --
> Programming today is a race between software engineers striving to build
> bigger and better idiot-proof programs, and the Universe trying to produce
> bigger and better idiots. So far, the Universe is winning. (Rich Cook)
>
> "Cor Ligthert [MVP]" <notmyfirstn***@planet.nl> schreef in bericht
> news:uwlaN7wfGHA.4276@TK2MSFTNGP03.phx.gbl...
>> Peter,
>>
>> The page you show is in my idea one of the worst pages on MSDN. It is a
> kind
>> of hacker manual, while the given samples don't secure any hack.
>>
>> If you want to secure hacking with SQL server than you need to do that in
>> your SQL server part where by instance not any part of the data is direct
>> readable by somebody else than the Admin, and the Stored procedures will
>> have the authorisations who may use those procedure by procedure. But the
>> first part for  hacking (as it is as well in this article) is that you
> need
>> the userID and the passwords who gives you the right to connect to the
>> SQL
>> server or whatever. I probably don't have to give you than the code how
>> to
>> access a bad managed SQL server a SP alone does than nothing to prevent
>> that.
>>
>> AFAIK had the SQL injection something to do with a bug in SQL 2000
>> server,
>> where I have never read what it was. SP3 from SQL 2000 server should be
>> to
>> correct that bug.
>>
>> Just a little addition,
>>
>> Cor
>>
>> "Peter Proost" <pproost@nospam.hotmail.com> schreef in bericht
>> news:etxV1lvfGHA.4976@TK2MSFTNGP02.phx.gbl...
>> > http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/
>> >
>> > http://en.wikipedia.org/wiki/HTTPS
>> >
>> > Hope this helps
>> >
>> > --
>> > Programming today is a race between software engineers striving to
>> > build
>> > bigger and better idiot-proof programs, and the Universe trying to
> produce
>> > bigger and better idiots. So far, the Universe is winning. (Rich Cook)
>> >
>> > "Martin" <x@y.com> schreef in bericht
>> > news:#UoJ$otfGHA.764@TK2MSFTNGP05.phx.gbl...
>> >> Thanks everybody for your helpful contributuons to this discussion.
>> >>
>> >> I have a few (maybe stupid) questions... What is that SQL Injection
>> >> thingy
>> > I
>> >> keep hearing about, and does anyone know a site where i could learn
> about
>> >> HTTPS?
>> >>
>> >> Tia,
>> >> Martin
>> >>
>> >> "Martin" <x@y.com> schrieb im Newsbeitrag
>> >> news:OMy2lMXfGHA.764@TK2MSFTNGP03.phx.gbl...
>> >> > Hi all,
>> >> >
>> >> > We have an administrative application that we are considering to
>> >> > rewrite
>> >> > in aspx with vb2005. I think the marketing possibilities are
> enourmous.
>> >> >
>> >> > In our standard app, the user logs in by entering his/her user name
> and
>> >> > password. In the online version that would be Client ID / user ID /
>> >> > Password. So far so good. But I'm just wondering... how secure is
> this?
>> > I
>> >> > guess not very. Every disgruntled employee can go online at home
> enter
>> >> > their name and password and do whatever they like.
>> >> >
>> >> > Now for clients with a fixed IP address I can check the IP-address
>> >> > as
> a
>> >> > part of the authentication. But what if my client has a dynamic
>> >> > IP-address?
>> >> >
>> >> > I would love to hear your thoughts on this matter,
>> >> >
>> >> > Thanks,
>> >> > Martin
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>