Securing your Data Layer in a C# Application

Question

I was thinking about how to secure the Data Layer in a C# Application, the layer could in this case be either a LINQ to SQL Model Diagram stored with the Application itself

Answer 1

In your case there are two main attack possibilities:

• Steal the connection string and then access the database directly
• Call methods in your C# code directly without using the UI

For the connection string you need to store it in an encrypted form in a config file. Problem is that there need to be enough information in the winforms app so that it can decrypt and use it.

For accessing the code directly you can use code access security and obfuscation.

In your case I would not give the windows app direct access to the database. Let the windows app call a WCF service, the the WCF service would access the database.

The user's user account is allowed to call the WCF service, the WCF service is running under an account that is allowed to access the database, the user's user account has no rights to the database.

Windows App with 3 Layers:

• UI
• Business (Security check what UI should be shown to the user)
• Proxy

WCF Service with 2 Layers:

• Facade / Business Layer (Security check is user allowed to call this method with this data)
• Entity Framework datamodel

Common dll's to both Layers

• Contracts / WCF Interfaces
• Data Transfer Objects

For info on proxy, contracts and DTO's see this video:

http://www.dnrtv.com/default.aspx?showNum=103