简体繁体 English

.net Winforms应用程序的安全连接

[英]Secure connection of .net winforms application

原文 2011-12-01 16:41:23 5 2 c#/ .net/ vb.net/ winforms/ security

I am developing an .net Winforms application and I need to secure the connection to the sql server 2008 database. 我正在开发.net Winforms应用程序，并且需要保护与sql server 2008数据库的连接。 I plan to create a webservice as a middle tier that will handle the authentication and that will provide data manipulation. 我计划将Web服务创建为中间层，以处理身份验证并提供数据处理。 Is there a better way to go with? 有更好的方法吗？ Does .net have components or tools for that? .net是否具有用于该目的的组件或工具？ What is the best technique? 最好的技术是什么？ Any info would be appreciated, thanks. 任何信息将不胜感激，谢谢。

2 个解决方案

Define "secure". 定义“安全”。 Obviously you wish to restrict access to data to users who really need that data. 显然，您希望将访问数据限制为确实需要该数据的用户。 However, more information about the architecture is needed; 但是，需要有关该体系结构的更多信息。 is this an in-house app that will only ever be used inside a (secured) LAN, VPN or hosted environment? 这是一个内部应用程序，只能在（安全的）LAN，VPN或托管环境中使用吗？ Or is this an app used on computers you do not control, that will transmit data over the Internet? 还是这是您无法控制的计算机上使用的应用程序，它将通过Internet传输数据？ How much security you need depends on what types of users will be using the software, from where, and how sensitive the data is. 您需要多少安全性取决于将使用哪种类型的用户，从何处使用数据以及数据的敏感程度。

MSS has pretty good security built-in. MSS内置了相当不错的安全性。 You can tie SQL users to Windows domain accounts, you can restrict "securables" (tables, views, SPs, etc) in myriad ways based on user or role, etc etc. I would first look at those capabilities, and seriously consider taking advantage of them in your security plan. 您可以将SQL用户绑定到Windows域帐户，可以根据用户或角色等以多种方式限制“安全性”（表，视图，SP等）。我将首先研究这些功能，并认真考虑利用在您的安全计划中。 One SQL user defined for use by any user of a particular piece of software, which has the permissions to do anything the software may require, is simple, common, and highly insecure. 定义为供特定软件的任何用户使用的一个SQL用户，该用户具有执行该软件可能需要执行的任何操作的权限，该用户是简单，通用且高度不安全的。

If that's not good enough, or you want to fully abstract your data layer (for instance, if you need the software to be able to be pointed at any DB type from MSS to Oracle to MySql), then it might be a good idea to implement a Repository model with a service proxy. 如果这还不够好，或者您想完全抽象化数据层（例如，如果您需要该软件能够指向从MSS到Oracle到MySql的任何数据库类型），那么对使用服务代理实现存储库模型。 Like Brian, I encourage you to have a look at WCF. 像Brian一样，我鼓励您看看WCF。 A WCF service is highly configurable, and can provide for independent authentication and for encryption. WCF服务是高度可配置的，并且可以提供独立的身份验证和加密。 A well-designed WCF service will be very secure indeed. 精心设计的WCF服务确实非常安全。

Behind the service, you can implement a Repository pattern, which abstracts the details of how data is retrieved from the data store and exposes simple methods that return objects containing the data you want in a ready-to-use form. 在服务后面，您可以实现存储库模式，该模式抽象了如何从数据存储中检索数据的详细信息，并公开了简单的方法，这些方法以现成的形式返回包含所需数据的对象。 Now, your service methods will just map 1:1 to Repository methods, possibly with some translation to DataContract-serializable objects instead of the richer domain model available on either side of the service. 现在，您的服务方法将只将1：1映射到Repository方法，并且可能需要转换为DataContract可序列化的对象，而不是在服务的任何一侧都可以使用更丰富的域模型。

Have you looked at building a service tier, using WCF? 您是否考虑过使用WCF构建服务层？ WCF can bring a whole new layer of abstraction and security from the actual physical database. WCF可以从实际的物理数据库中引入全新的抽象层和安全性。

WCF also allows you to use more secure bindings than a traditional web service allows, with built-in logging. WCF还允许您使用内置日志记录来使用比传统Web服务所允许的更安全的绑定。

Also, check out this book sometime if you want a really good read on .NET Security: 另外，如果您想在.NET Security上获得不错的阅读，请随时阅读本书：