Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Layers of Security Expand / Collapse
Author
Message
Posted Monday, December 5, 2011 10:46 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 2:42 PM
Points: 33,278, Visits: 15,447
Comments posted to this topic are about the item Layers of Security






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1216781
Posted Tuesday, December 6, 2011 12:31 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Tuesday, June 3, 2014 8:16 AM
Points: 295, Visits: 1,011
I have to agree, it's a mess to configure firewalls. Thou I've only configured my personal ones.

One time I started out sending an email to the internet service provider I had, asking which protocols and ports they needed open for me to get internet. They didnt know! I started out hard, blocking a bit too much so I didnt even get the packages from the isp that gave me my ip address.. It is a mess and last i checked it was not that easy to find out all the information one should have.
Post #1216797
Posted Tuesday, December 6, 2011 7:07 AM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, August 21, 2014 1:54 PM
Points: 1,432, Visits: 3,229
Agreed, though I wonder how many DBAs actually have the authority to set the rules involving database security policies or even set standards for developers and insist that they be followed in all projects? Not many probably (I certainly don't).



The probability of survival is inversely proportional to the angle of arrival.
Post #1217041
Posted Tuesday, December 6, 2011 7:12 AM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Thursday, September 11, 2014 10:02 AM
Points: 483, Visits: 796
OK Steve, you have me interested. I consider SQL Security to be as complex as anything I have seen. I have zero issues configuring my Windows server to be as secure as possible. I think I know enough to do things right, but I don't know "why" to choose one selection over another. Vendors still push for "sa" accounts for access and there is little I can do when I am told to implement a system with that poor of a design, but there are systems that I have more control over. The article above yours mentions "teaching a man (woman) to fish".

What do you suggest as the best resource for security in SQL Server 2008 R2?

Preferably a nice set of articles like the ones SQLServerCentral is doing for SSRS, or how about a good book, maybe even a blog somewhere?

Even those of us who consider themselves experts in this vein should benefit by reading more about it. For those of us who struggle with it, good information can be trememndous. I know BO has information, but to me that is more of a reference, and useful once you know what you want to do. A good primer, followed by good detail, is usually easier for most of us to pick up.

Dave


Dave
Post #1217050
Posted Tuesday, December 6, 2011 8:07 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 2:42 PM
Points: 33,278, Visits: 15,447
djackson 22568 (12/6/2011)
Vendors still push for "sa" accounts for access and there is little I can do when I am told to implement a system with that poor of a design, but there are systems that I have more control over.


I've had a few vendors ask for SA in the past. Digging in, we found they wanted SA because a) that's what they always use, and b) because they wanted to create logins or run a job from the application.

We could easily do the "create" logins from SSMS (or EM in that case) and the application would see them. We could also grant rights to run jobs without giving SA. Some vendors want SA, but don't really even know why they have that requirement.


What do you suggest as the best resource for security in SQL Server 2008 R2?

Preferably a nice set of articles like the ones SQLServerCentral is doing for SSRS, or how about a good book, maybe even a blog somewhere?

Even those of us who consider themselves experts in this vein should benefit by reading more about it. For those of us who struggle with it, good information can be trememndous. I know BO has information, but to me that is more of a reference, and useful once you know what you want to do. A good primer, followed by good detail, is usually easier for most of us to pick up.

Dave


We are working on a security stairway series, but it's tough to get one done. For now, I would recommend a couple resources:

Securing SQL Server: http://www.amazon.com/gp/product/1597496251?ie=UTF8&tag=redgatsof-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1597496251
Hardening SQL Server: http://www.sqlmag.com/article/sql-server/Hardening%20SQL%20Server-135858







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1217107
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse