We have a client that's concerned about their sql server database, and internal security.
We currently are having them use windows authentication to log into the database.
And this is what's being used to do insert / updates on the database.
However... they are concerned that the user could access the tables by using the sql server management studio
Which.. they could.
I guess they don't necessarily, trust their own users.
Now... we could
use a single database login... that the user wouldn't know the password to.
and, this is how they would access the database. The login info, they entered would only allow them
access into our software.
(but... this login / password would have to be stored somewhere... and, would also need to be changeable)
This... as a whole, doesn't seem real secure
Or...
we create stored procedures that do the actual access / manipulation of the data
But... this would take a large rewrite, of how the system currently works.
Does anyone have any suggestions? thoughts?
I guess i could understand enhanced security, if the application was accessible from the outside.
But.... this application is within their network.
I guess that, this is the way things are headed these days.
lock down everything