I would love some best practice feedback on the security model I have come up with for my application. I am diving head first into upgrading a Microsoft Access Frontend/Backend to .NET WinForms/SQL Server using Amazon’s RDS. Application will be multi user, multi site (different domains) and contain sensitive health information.
This is the summation of 2 weeks research:
-
Encrypted connection string stored in application using mixed authentication and SSL. Not ideal, but I think I have figured out a way for it to be okay if the connection string is stolen (see #5 below).
-
SQL Server only accepts connections from select IP Addresses (all will be static).
-
Application connection string assigned to one SQL Server user that has execute only privileges. All DB interaction will be done using procedures. Schema permissions used to limit application user to certain procedures.
-
User table with SHA 256 salted and hashed passwords. This provides the first layer of application security.
-
THIS IS THE PART I AM UNSURE OF: Every procedure will only fully execute if an IF statement looking up the user name and password sent as one of the exec variables = True. The UN/PW will be temporarily stored for each session of the application. My rationale is this prevents a user with the connection string who is somehow logging in from an allowed IP Address from obtaining/altering any data without a valid password.
-
Sensitive columns encrypted with AES_256 Symmetric Key, encrypted by a Certificate using Database Master Key. Application user has privileges to use Symmetric Key and Certificate.
-
User passwords must follow rules (length, upper/lower-case mix, special characters).
Can anyone see any holes in this or have good alternatives? Does #5 solve the inherent connection string security holes windows applications unable to use Windows Authentication have?
Overal your design strikes me as an attempt to duplicate built-in functionality (authentication, authorization, permission control) with a self-made attempt to copy, just because you don’t trust the built-in features.
Use SQL User/password for authentication/authorization. Do NOT build a table of users and hashes. Do NOT send user and password with each exec request (!).
Use SQL Server permissions for access control. Use code signing for granular control of execution (signed procedures). Do NOT attempt to build a parallel, duplicate access control infrastructure, do NOT store a temporary user/password for each session.
Use AWS firewall infrastructure to control access IPs. Do NOT reinvent your own.
If you use column level encryption, understand what you’re protecting against and what is your goal. Accidental media loss? Then encrypt with a database master key (ie. poor men’s TDE). Data confidentiality? Then have the user enter the certificate decryption password on each session.
Have the user enter the password when it starts the application so you do not expose the password in files at rest (.config). That’s all there is to it. SQL Server has long ago stopped exchanging the password on wire for SQL auth.