How Do I Maximize Security When Connecting to a SQL Server Database?

  • Article

About SQL Server database access in Crystal Reports

When using Crystal Reports for Visual Studio, a SQL Server database is accessed from either of the following sources:

  • Directly from the report file, using database connectivity information that is stored in the file.

    The embedded Crystal Report Designer configures the database connectivity information when the report is created or modified. The information is automatically passed to the database by the report engine whenever the report is displayed.

  • From Crystal Reports .NET API code.

    The database connectivity information can be reconfigured with code that interacts with the report programmatically at runtime.

Regardless of the source for your reports, the security issue remains the same: how do you protect the database from malicious attacks?

Use Windows Authentication with Integrated Security

For maximum security, Microsoft recommends the use of Integrated Security through Windows Authentication. This configuration means a user ID and password string won't be needed in your application.

For a tutorial that demonstrates how to integrate a Crystal report with Integrated Security into a Web or Windows application, see Tutorial: Logging onto a Secure SQL Server Database Using Integrated Security.

Use SQL Server Authentication with a Limited Access Database Account

If you need to use SQL Server Authentication with your database, you will have to take extra steps to achieve effective security.

Never use the system administrator id and password in your code, because this presents a significant security risk. Instead, do the following:

  • Create a limited access database account.
  • Configure this account, so that only the required tables in the database can be accessed.
  • For each table that can be accessed, give permission only to run the SELECT statement.

Microsoft further recommends that you encrypt your user ID and password. For information about how to encrypt your user ID and password, see the Security information in MSDN.

To complete a tutorial that demonstrates how to integrate a Crystal report using SQL Authentication into a Web or Windows application, see Tutorial: Logging onto a Secure SQL Server Database Using SQL Authentication.