I have to agree with Bill, I would not under any circumstances allow my
server to be visible to the outside world. Of course I would also under no
circumstances post my servers connection string to this newsgroup so
obviously security concerns do vary.
Possible risks of making your server visible include denial of service
attacks, brute force password hacking and credential sniffing either on the
way or on the client machine where the ado.net program is running. If you
give me an ado.net program that connects to your server you are giving me
access to the server with the same rights as the program, period. There is
no way to protect the connection information. In an intranet scenario
hopefully you are protecting against this by relying on integrated security,
but you can't rely on integrated security on the net.
Once somebody has access to your Sql Server (hopefully with an account with
valid restrictions, if they are admins it is all over) they will likely be
able to hack into the server machine, a lot of very smart people dedicate a
good chunk of their day to find (and tell everybody about) just this type of
vulnerabilities.
I would highly recommend adding a web services layer to access your server
if you want the server information to be accessible.
--
Angel Saenz-Badillos [MS] Managed Providers
This posting is provided "AS IS", with no warranties, and confers no
rights.Please do not send email directly to this alias.
This alias is for newsgroup purposes only.
moko said:
Thanks a lot for all the information, and may your servers be secure
.
