Your application may have an internal security strategy (see Security System section). However, that does not mean that a user who does not have an account in the application cannot gain direct access to the database. While, it is the job of a system administrator to protect the Database Server properly, it may be useful for a developer to understand basic security principles. In this lesson, you will learn how to make your database more secure.
We will consider two cases - End-User Workstations joined to a domain and End-User Workstations not joined to domain.
If all End-User Workstations are joined to a domain, it is recommended to use an Active Directory authentication type in the application. Users will not have to provide credentials when starting the application. Instead, their Active Directory accounts will be used. The following security strategy is recommended.
Configure your application to use Windows Authentication when connecting to the database. The sample connection string below illustrates this.
<add name="ConnectionString" connectionString="Integrated Security=SSPI; Pooling=false;Data Source=DBSERVER;Initial Catalog=MySolution;" />
For details, refer to the Set Up the Database Connection lesson.
Refer to your DBMS and Windows Server documentation for detailed information on the steps above.
If End-User Workstations are not joined to a domain, you should use a Standard authentication type in the application. Users will have to provide credentials when logging into the application. The following security strategy is recommended.
Configure your application to use the "XAF_User" account when connecting to the database. The sample connection string below illustrates this.
<add name="ConnectionString" connectionString="Integrated Security=False; Pooling=false;Data Source=DBSERVER;Initial Catalog=MySolution; User ID=XAF_User;Password=PASSWORD;" />
Refer to your DBMS documentation for detailed information on the steps above.
The following table lists the recommended settings for various available combinations of the application and database authentication types.
Database Server Authentication
Refer to the Security Authentication article in the IIS documentation, to see how to change authentication settings.
It is recommended that you backup the database frequently. If something goes wrong, you will always have the ability to restore data. Refer to your DBMS documentation to find out how to set up automatic database backup or ask the database administrator to do it.
Since the application database can contain the personal data of end-users, ensure that the database backups are not publicly accessible.
To learn how to connect remote desktop clients to the Terminal Server with your Windows Forms application installed, refer to the Connect Clients to the Terminal Server lesson. If you are not deploying a Windows Forms application to the Terminal Server, refer to the Application Update lesson to learn how to update your application.