The requirement I have is that part of the install process for an application includes database setup and updates that require SA privilege, but the windows user installing will not have that password.
As a result, the thought is to use an installer application that embeds the sa password and will perform all required actions. This will further be secured by requiring a password to launch the installer based on some sort of algorithm that makes it unique on a daily basis.
Now, the concern I have is that (with the knowledge i have right now) it would be pretty simple to reflect the .net application to easily figure out the sa password. So, the question is how do I protect this. Obfuscation for sure, but it’s never that good.
You can go to the level of encrypting portions of your application to hide the secret values – but if your application is able to decrypt it you need to store the key in the application too.
DVD players, are one good example of this – DVDs are encrypted using a system called Content Scramble System, and each DVD Player manufacturer embeds a key to be able to decrypt DVDs, on the player itself.
The thing is though – if the end user’s machine has the ability to run your code, then there’s nothing you can do to truly prevent them from accessing the key. It’s just a matter of time and effort for someone to figure out how, exactly, you’ve obfuscated that. Just ask “DVD Jon”, the developer of the DeCSS Application.
If you want to ensure security of information, don’t put that information where a user can get to it. Host the database elsewhere and give the user credentials which have limited functionality.
Either that, or accept the fact that users will be able to bypass the security, and plan for that (eg: by not doing anything important locally).