WPF Desktop Application Authentication remote database

Question

I have created a WPF desktop application that needs to be able to securely access a remote DB for authentication. The app will be installed at a customers site and the DB will be inside our network.

What I am thinking is that the client will send the username and password (encrypted) to an API someone on our network that has access to the internal DB. The API will decrypt verify the account and send the good to go back to the Client.

Is this the correct way to secure a desktop application using a remote database and if so are their some simple examples on how to do accomplish it. I have spent a couple of days researching with no simple examples.

Answer 1

Simple and secure are are not the same.

If your app connects to the database then your app can be hacked and they gain access to the database. You may have write access to a certain table to perform updates. With write access they can delete *.

In security they refer to attack surface. SQL has an enormous attacked surface. If you allow a client to access the database directly then you have an enormous attacked surface to protect.

WCF has very good security. A user cannot hijack the service to perform a table delete (unless you have a very poorly written service).

It is like you let them in the bank vault with a key to only get into their safety deposit box. Well the vault is a lot stronger than the safety deposit box. With a WCF service you don't even let them in the vault.

As for simple just let them access the database and have a logon page. If they do not pass a simple security check then don't let them advance to actual application page(s).