SQL Server EXPERTS!! Share with me PLZ!! (security)

[juanmf]

hi; I`ve been talking with a frined that is developing (with other 29 people) a system for a hospital based on SQL Server. She is at the database design area. The paranoia is that they are trying to avoid unauthorized entry to the server giving NO permission at all to any recently loged in user and as they are using some functions (that are all they can do) those functions do the job and give the results. I´m fine with that but she thinks that this is preventing a "man in the middle attack", since "he/she can see the pass but might not see the functions name.." i don´t think so. told her that the only thing that came to my head is to connect trough SSL, becouse she can´t implement no "home made" security before login in to the server, and by that time this man in the middle all ready has your pass.
ANY advise about security against men in the middle?
any disadvantage in using ssl?
SQL SERVER SUPORT SSL¿?
thanks!

[schenz]

Stored Procedures for everything, and create a user in SQL Server that ONLY has permissions to the SPs.

[juanmf]

I think that this is what they are actually attempting to do... but a "man in the middle" listens to the user and pass, and that´s it he doesn´t need the program to see the data... the problem remains in the web... as far as i can see encription is the key.
but which encription can be used here?
any sugest on this or any aternative?

[schenz]

But the user/pass combination in this case only has access to Stored Procedures. What use will that be to them? It does not give computer access because the user/pass is for SQL only, and that User/pass cannot actually do anything to the data tables because it only has access to the stored procedures.

[juanmf]

But the program needs to update data and consult it, so, some how the stored proc are a gate to see or change data, correct me if i am rong plz..

[schenz]

A Stored Procedure is a SQL Statement that runs on the server. Yes, it will return data, update data, even delete data(Never Delete Data use a field to mark a row inactive). To use a Stored Procedure you simply pass in the name of the Stored Procedure along with any parameters it requires, and it will either update the data you request, or return the results requested.

It will protect from SQL Injection Attacks, and the user/pass that has access to the Stored Procedures should not have access to the tables.

[juanmf]

Ok, so it prevent from unconsistent/unauthorised ways of using data but some mallisious guy can still see the data or change it trough a SP, even if he doesn´t have access to the tables. Did i get it right?
if i did.. How do we prevent this guy from seeing the data or even login-in to the server.

[schenz]

SQL Server 2000 and greater supports SSL.

[juanmf]

Thanks for your time. i know i´m dficult
one more doubt, using ssl, the conection string also goes encripted or not, cose if it doesn´t we are rigth at the begining of the talk..?

[schenz]

All Data being sent over the network is encrypted with SSL.