Home All Groups Group Topic Archive Search About

Security ideas for n-tier?

microsoft.public.dotnet.framework.adonet
Author
25 Jan 2007 7:11 PM
shubtech
We are working on a project where we are converting our client server
application to a n-tier model to make it more scalable. The question I
have here for the group is to see if I can get some ideas on how the
security should be implemented for this kind of architecture.

I am new to this n-tier world so I am looking for some guidance. Just
to give you an idea, basically the plan is to split the existing thick
client into three layers,  a thin client (C# using .net), a middle tier
consisting of business logic(C#. net) and SQL Server as the database.
In addition to this we will have some  web services which in turn will
talk to the application server and then to the database. The web
services will be written so that in the near future a web portal will
be created which will use  the web services to write and read data from
the database. So basically we are anticipating data from the thin
client which will primarily be the Customer Support representatives and
data from end users from the web.


My question is under this scenario what is the normal and standard
practice for authentication?

What methodology should be used for authenticating users to the thin
client?  Should each user be authenticated using the windows
authentication or should that be custom security. How should the users
coming from the web be authenticated.

Once the user is logged on through thin client do we need any security
when we do remoting to the business layer. How should the security at
the database be implemented, we would like to audit all the changes on
a user name basis. I have been reading quite a bit on security but I am
still confused what approach would be the best under the above
scenario.

Any help in this regard will be greatly appreciated. If there is any
white paper or website, or book that might help please feel free to
suggest we are in a time crunch to get this project completed.

Thanks

Author
31 Jan 2007 5:36 PM
Mary Chipman [MSFT]
One option would be to take advantage of Enterprise Services (COM+) to
deploy your middle-tier. Each data access class would have methods
that have the same signature as stored procedures in the database.
COM+ security allows you to configure role-based security down to the
method level. The middle tier would use a single low-privilege account
to connect to the server. This account would have execute-only
permissions on the stored procedures and the public role would be
denied all permissions on the base tables. This moves authentication
and security maintenance away from the server so that users are
authenticated at the client-to-middle tier gate and never connect to
the database directly.

There's a lot of documentation out there -- search on "asp.net
security best practices". In particular see the patterns & practices
site at http://msdn.microsoft.com/practices/.

--Mary

On 25 Jan 2007 11:11:28 -0800, shubt***@gmail.com wrote:

Show quote
>We are working on a project where we are converting our client server
>application to a n-tier model to make it more scalable. The question I
>have here for the group is to see if I can get some ideas on how the
>security should be implemented for this kind of architecture.
>
>I am new to this n-tier world so I am looking for some guidance. Just
>to give you an idea, basically the plan is to split the existing thick
>client into three layers,  a thin client (C# using .net), a middle tier
>consisting of business logic(C#. net) and SQL Server as the database.
>In addition to this we will have some  web services which in turn will
>talk to the application server and then to the database. The web
>services will be written so that in the near future a web portal will
>be created which will use  the web services to write and read data from
>the database. So basically we are anticipating data from the thin
>client which will primarily be the Customer Support representatives and
>data from end users from the web.
>
>
>My question is under this scenario what is the normal and standard
>practice for authentication?
>
>What methodology should be used for authenticating users to the thin
>client?  Should each user be authenticated using the windows
>authentication or should that be custom security. How should the users
>coming from the web be authenticated.
>
>Once the user is logged on through thin client do we need any security
>when we do remoting to the business layer. How should the security at
>the database be implemented, we would like to audit all the changes on
>a user name basis. I have been reading quite a bit on security but I am
>still confused what approach would be the best under the above
>scenario.
>
>Any help in this regard will be greatly appreciated. If there is any
>white paper or website, or book that might help please feel free to
>suggest we are in a time crunch to get this project completed.
>
>Thanks

AddThis Social Bookmark Button

Post Other interesting topics
Writing data from a table to another
One DataTable class in two datasets - design-time support
Custom ADO.NET Provider, question about DbCommand.ExecuteReader
Concurreny violation on delete in dataset
Close not closing...