Our product has the middleware conduct transactions with the SQL server usin
g a special account. The developers know the account and password in order t
o code it in their apps. The problem is that they are not allowed access to
the platform once an app g
oes into production (we are in the banking industry). However, they use Ente
rprise Manager and as long as they know the account name and password, they
can still get to any of the databases.
Anyone know how to stop a connection to a SQL DB (by user) with Enterprise M
anager?It is bad practice to code the account and password in application. This
should be stored in an ini file or the registry (and encrypted of course) so
it can be changed easily. In that case you can set up a new account with the
same permissions and delete the old account, and make your application use
it by changing the username and password in the registry or ini file. If you
would like to store the username and paswword encoded in the application for
some reason, at least store it in a separate class, so that you can build a
secure release version by only including a different file for that class.
Blocking them from Enterprise Manager doesn't help much, how long do you
think it takes a not even very talented developer to knock up a basic app
that allows you to view tables in any database? Or they can use Query
Analyzer or osql.
Which bank uses this btw, I hope it's not mine ;-)
Jacco Schalkwijk
SQL Server MVP
"rick m" <anonymous@.discussions.microsoft.com> wrote in message
news:03A80E82-BAF0-4055-AEA7-9C33AEB30DB8@.microsoft.com...
> Our product has the middleware conduct transactions with the SQL server
using a special account. The developers know the account and password in
order to code it in their apps. The problem is that they are not allowed
access to the platform once an app goes into production (we are in the
banking industry). However, they use Enterprise Manager and as long as they
know the account name and password, they can still get to any of the
databases.
> Anyone know how to stop a connection to a SQL DB (by user) with Enterprise
Manager?|||Rick,
You have stumbled onto one of the most overlooked internal security problem
with SQL Server. Appliction developers often know logons and passwords and a
re able to connect to production databases outside of the application using
Enterprise Manager, Query A
nalyzer, Access, a custom app. etc. If you cannot get the app developers to
use Windows authentication, you really need to store the login and password
in a safe ini file or registry setting and make sure the password changes as
the application goes into
production.
Your not the only one with the same question, many other have written the sa
me question and apparently the problem with application developers being abl
e to review production data is starting to become a problem.
Sorry, there is not a good answer to your question, it is a application deve
lopment process change and not just a setting that will eventually keep appl
ication developers out of your production database.
About the only thing you can do in the short-term is have management send ou
t a warning that no app developer should be in production and then audit ent
ry into your production db and have the offending developers "taken" care of
.
Randy Dyess
www.Database-Security.Info|||"rick m" <anonymous@.discussions.microsoft.com> wrote in message
news:03A80E82-BAF0-4055-AEA7-9C33AEB30DB8@.microsoft.com...
> Our product has the middleware conduct transactions with the SQL server
using a special account. The developers know the account and password in
order to code it in their apps. The problem is that they are not allowed
access to the platform once an app goes into production (we are in the
banking industry). However, they use Enterprise Manager and as long as they
know the account name and password, they can still get to any of the
databases.
> Anyone know how to stop a connection to a SQL DB (by user) with Enterprise
Manager?
No direct way, you'd be better off blocking (or simply removing any security
permissions) for user connections to the server running SQL Server. I agree
with the other posts, the main thing to emphasize -- use Windows
Authentication! That eliminates the need to hard code user names/passwords.
Security can be implemented and secured based on NT groups.
Steve
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Monday, March 19, 2012
Enterprise Manager Security
I am trying to retrict access to SQL Server by the NT Administratoe, my
question in two parts:
1. SQL Server 2K and Win 2K Server are loaded on the Same Box. Is there a
way to prevent the NT Administrator gaining access to SQL Server through
Enterprise Maanager?
2. If not is there a way to prevent the NT Administrator making any changes
via Enterprise Manager
Any pointers would be gratefully accepted
MOCHi,
Solution is : Remove SYSADMIN role from BUILD/Administrators.
But this will lead in DB MAintenance plan tasks to fail. So try to avoid
this. Still OS Admins will be able to browse the Enterprise manager.
In general "OS Administrators" can do any activity in the Server being he is
the one administering the entire server and normally
he wont do any thing harm.
Thanks
Hari
MCDBA
"MOC" <MOC@.MOC.com> wrote in message
news:#Y14$EBDEHA.2308@.tk2msftngp13.phx.gbl...
> I am trying to retrict access to SQL Server by the NT Administratoe, my
> question in two parts:
> 1. SQL Server 2K and Win 2K Server are loaded on the Same Box. Is there
a
> way to prevent the NT Administrator gaining access to SQL Server through
> Enterprise Maanager?
> 2. If not is there a way to prevent the NT Administrator making any
changes
> via Enterprise Manager
> Any pointers would be gratefully accepted
> MOC
>|||You can remove builtin\administrators but should add back the service
account that SQL Server and SQL Server Agent are running under, and the [
;nt
authority\system] account if you want to use full-text search.
Probably want to review this article as well:
http://support.microsoft.com/defaul...kb;EN-US;263712
Although it talks about clustered SQL Servers most of the info applies to
stand-alone instances as well...
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Hari" <hari_prasad_k@.hotmail.com> wrote in message
news:eG0GnoBDEHA.3064@.tk2msftngp13.phx.gbl...
> Hi,
> Solution is : Remove SYSADMIN role from BUILD/Administrators.
> But this will lead in DB MAintenance plan tasks to fail. So try to avoid
> this. Still OS Admins will be able to browse the Enterprise manager.
> In general "OS Administrators" can do any activity in the Server being he
is
> the one administering the entire server and normally
> he wont do any thing harm.
> Thanks
> Hari
> MCDBA
>
> "MOC" <MOC@.MOC.com> wrote in message
> news:#Y14$EBDEHA.2308@.tk2msftngp13.phx.gbl...
there
> a
> changes
>
question in two parts:
1. SQL Server 2K and Win 2K Server are loaded on the Same Box. Is there a
way to prevent the NT Administrator gaining access to SQL Server through
Enterprise Maanager?
2. If not is there a way to prevent the NT Administrator making any changes
via Enterprise Manager
Any pointers would be gratefully accepted
MOCHi,
Solution is : Remove SYSADMIN role from BUILD/Administrators.
But this will lead in DB MAintenance plan tasks to fail. So try to avoid
this. Still OS Admins will be able to browse the Enterprise manager.
In general "OS Administrators" can do any activity in the Server being he is
the one administering the entire server and normally
he wont do any thing harm.
Thanks
Hari
MCDBA
"MOC" <MOC@.MOC.com> wrote in message
news:#Y14$EBDEHA.2308@.tk2msftngp13.phx.gbl...
> I am trying to retrict access to SQL Server by the NT Administratoe, my
> question in two parts:
> 1. SQL Server 2K and Win 2K Server are loaded on the Same Box. Is there
a
> way to prevent the NT Administrator gaining access to SQL Server through
> Enterprise Maanager?
> 2. If not is there a way to prevent the NT Administrator making any
changes
> via Enterprise Manager
> Any pointers would be gratefully accepted
> MOC
>|||You can remove builtin\administrators but should add back the service
account that SQL Server and SQL Server Agent are running under, and the [
;nt
authority\system] account if you want to use full-text search.
Probably want to review this article as well:
http://support.microsoft.com/defaul...kb;EN-US;263712
Although it talks about clustered SQL Servers most of the info applies to
stand-alone instances as well...
Richard Waymire, MCSE, MCDBA
This posting is provided "AS IS" with no warranties, and confers no rights.
"Hari" <hari_prasad_k@.hotmail.com> wrote in message
news:eG0GnoBDEHA.3064@.tk2msftngp13.phx.gbl...
> Hi,
> Solution is : Remove SYSADMIN role from BUILD/Administrators.
> But this will lead in DB MAintenance plan tasks to fail. So try to avoid
> this. Still OS Admins will be able to browse the Enterprise manager.
> In general "OS Administrators" can do any activity in the Server being he
is
> the one administering the entire server and normally
> he wont do any thing harm.
> Thanks
> Hari
> MCDBA
>
> "MOC" <MOC@.MOC.com> wrote in message
> news:#Y14$EBDEHA.2308@.tk2msftngp13.phx.gbl...
there
> a
> changes
>
Wednesday, February 15, 2012
enterprise manager
how sql-DBA can disable security of sqlserver registration properties.(for e
x.a user can change the password).
i want to disable sqlserver registration properties option in the console ro
ot.This is not possible. A user can always change his own password and there
is not a way to disable this.
Rand
This posting is provided "as is" with no warranties and confers no rights.
x.a user can change the password).
i want to disable sqlserver registration properties option in the console ro
ot.This is not possible. A user can always change his own password and there
is not a way to disable this.
Rand
This posting is provided "as is" with no warranties and confers no rights.
Subscribe to:
Posts (Atom)