Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Can a malware on desktop affect the security of MSSQL? Expand / Collapse
Author
Message
Posted Friday, January 4, 2013 10:47 AM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: 2 days ago @ 12:24 PM
Points: 57, Visits: 169
Connecting to MSSQL 2000 using SSMS 2008

My company's security expert claims that I need a different account to access MSSQL 2000 servers; disabled my domain account to all MSSQL databases and created a different domain account for my access to MSSQL databases. Is there a legitimate security concern with 1 domain account that can access email, internet, etc (and possibly malware / virus) passing it MSSQL databases just because I use Windows authentication on my SSMS 2008???

Is this security or stupidity?
Post #1403014
Posted Friday, January 4, 2013 11:56 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: 2 days ago @ 2:35 PM
Points: 12,962, Visits: 32,498
MSSQL_NOOB (1/4/2013)


Is this security or stupidity?


a little of both, i think.
From a SQL server standpoint,
SQL server passwords are inherently less secure than Windows authentication; you can use a brute force/dictionary attach to attempt to get SQL server access. Windows Authentication means you've logged in securely on the domain, so you are able to pass a trusted token around instead of exposing your password.
SQL authentication is disabled, by default, on a new SQL installation for that specific security reason.

covering the security hole by switching to SQL users/passwords potentially opens a different, larger hole.
a virus scanner pretty much puts the issue to bed as far as malware, and that's the solution we prefer at my shop. (we use ESET NOD32 Antivirus)


Lowell

--There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1403048
Posted Friday, January 4, 2013 12:13 PM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: 2 days ago @ 3:20 PM
Points: 18,064, Visits: 16,099
Lowell (1/4/2013)
MSSQL_NOOB (1/4/2013)


Is this security or stupidity?


a little of both, i think.


I agree it could be a little of both. Many shops use two accounts in AD - one admin level account and one is a user level account. AV software and malware detection software should help with the malware concern.




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Post #1403056
Posted Friday, January 4, 2013 12:41 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: 2 days ago @ 12:24 PM
Points: 57, Visits: 169
From a SQL server standpoint,
SQL server passwords are inherently less secure than Windows authentication; you can use a brute force/dictionary attach to attempt to get SQL server access. Windows Authentication means you've logged in securely on the domain, so you are able to pass a trusted token around instead of exposing your password.
SQL authentication is disabled, by default, on a new SQL installation for that specific security reason.


Ohh ... but both my accounts are domain accounts. One account, I can access email, internet, etc but not SQL Server. Another account, I can access SQL Server, well internet as well; but not emails.

So my thoughts here are when there's an issue, I would log in to domain account #1; read my emails / problems. Then, log off, and log on to domain account #2 to get to MSSQL to fix the issue. And if there are follow up emails that I may need; then I'll log out of domain account #2 and log on to domain account #1 to get the emails ... and back and forth. And on the same machine!!!

So here I am wondering ... how viable is that plan? And what are the possibilities that virus / malware transmits from desktop through SSMS to MSSQL server?


I agree it could be a little of both. Many shops use two accounts in AD - one admin level account and one is a user level account. AV software and malware detection software should help with the malware concern.


Ohh ... my "secure" account doesn't have any groups - only Domain User. So it's not an admin account whatsoever. Just that username is being added as sysadmin in MSSQL
Post #1403072
Posted Friday, January 4, 2013 12:47 PM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: 2 days ago @ 3:20 PM
Points: 18,064, Visits: 16,099
There is an option that does not require you to to log on and off and back and forth.

Create an SSMS shortcut that relies on the Runas and specify your other account in the runas parameters.

Another option is to create a little powershell script and place it on the desktop (or someplace usable). Have the powershell script launch ssms and prompt for account and password.

Then you will not need to login or out between the two accounts.

This also illustrates the stupidity part of the reason for the second account. You will have access to email and SSMS from the same windows session.




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Post #1403075
Posted Friday, January 4, 2013 1:44 PM
Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: 2 days ago @ 12:24 PM
Points: 57, Visits: 169

Create an SSMS shortcut that relies on the Runas and specify your other account in the runas parameters.

Another option is to create a little powershell script and place it on the desktop (or someplace usable). Have the powershell script launch ssms and prompt for account and password.


gosh ... I love your idea! How do I thank you. These are awesome suggestions.

Edit: Found http://www.sevenforums.com/tutorials/164915-run-different-user-shortcut-create-specified-program-user.html
Totally defeats the security "clean system" but works like a CHARM!!!
But hey, same desktop, different username isn't exactly "clean system" anyway.
Post #1403100
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse