Database security

Snow License Manager and its subsystems connect to the database server using configurable connection strings that contain vital information, such as the server name, database name, and user credentials. These connection details are stored in encrypted form.

The Snow License Manager web application uses a single dedicated SQL Server service account. The service account is created in SQL Server during the installation of Snow License Manager. To increase the security level, the SQL Server service account can be created using a randomly generated, 12-character password, known only to the system.

To create the SQL Server service account for Snow License Manager, the installer must be logged on using an SQL Server user account with system administrator (sysadm) privileges in the database server. The sysadm rights are needed to create the SLM database during installation, to enable DBO-access to the Snow License Manager and Snow Inventory databases, and to access and control the SQL Server Agent service. After installation, sysadm rights are no longer needed.

The SQL Server service account for Snow License Manager does not require (and is never assigned) sysadm privileges, only DBO-rights for the Snow License Manager and Snow Inventory databases.

Application user accounts are setup in a tabled structure within the database; not as individual login users to the database account. Application user accounts cannot, therefore, be used log on to the database. Thus there is no direct access to the database.

SQL injection is a technique used to attack data-driven applications by exploiting security vulnerabilities in the database layer. Exploiting this kind of vulnerability could change the SQL query to grant unauthorized access.

To withstand SQL injections and ensure a high level of security, Snow License Manager uses parameterization and stored procedures. In cases where parameterization cannot be used, input sanitization checks ensure that the system is not vulnerable to SQL injection attacks.