<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 7,2000
»
Security
»
Can a malware on desktop affect the security...
Can a malware on desktop affect the security of MSSQL?
Rate Topic
Display Mode
Topic Options
Author
Message
MSSQL_NOOB
MSSQL_NOOB
Posted Friday, January 04, 2013 10:47 AM
SSC Rookie
Group: General Forum Members
Last Login: Thursday, March 28, 2013 10:08 AM
Points: 37,
Visits: 106
Connecting to MSSQL 2000 using SSMS 2008
My company's security expert claims that I need a different account to access MSSQL 2000 servers; disabled my domain account to all MSSQL databases and created a different domain account for my access to MSSQL databases. Is there a legitimate security concern with 1 domain account that can access email, internet, etc (and possibly malware / virus) passing it MSSQL databases just because I use Windows authentication on my SSMS 2008???
Is this security or stupidity?
Post #1403014
Lowell
Lowell
Posted Friday, January 04, 2013 11:56 AM
SSChampion
Group: General Forum Members
Last Login: Today @ 1:11 PM
Points: 11,605,
Visits: 27,645
MSSQL_NOOB (1/4/2013)
Is this security or stupidity?
a little of both, i think.
From a SQL server standpoint,
SQL server passwords are inherently less secure than Windows authentication; you can use a brute force/dictionary attach to attempt to get SQL server access. Windows Authentication means you've logged in securely on the domain, so you are able to pass a trusted token around instead of exposing your password.
SQL authentication is disabled, by default, on a new SQL installation for that specific security reason.
covering the security hole by switching to SQL users/passwords potentially opens a different, larger hole.
a virus scanner pretty much puts the issue to bed as far as malware, and that's the solution we prefer at my shop. (we use ESET NOD32 Antivirus)
Lowell
--
There is no spoon, and there's no default ORDER BY in sql server either.
Actually, Common Sense is so rare, it should be considered a Superpower. --my son
Post #1403048
SQLRNNR
SQLRNNR
Posted Friday, January 04, 2013 12:13 PM
SSCoach
Group: General Forum Members
Last Login: 2 days ago @ 1:46 PM
Points: 18,732,
Visits: 12,329
Lowell (1/4/2013)
MSSQL_NOOB (1/4/2013)
Is this security or stupidity?
a little of both, i think.
I agree it could be a little of both. Many shops use two accounts in AD - one admin level account and one is a user level account. AV software and malware detection software should help with the malware concern.
Jason
AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server 2008
SQL RNNR
Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1403056
MSSQL_NOOB
MSSQL_NOOB
Posted Friday, January 04, 2013 12:41 PM
SSC Rookie
Group: General Forum Members
Last Login: Thursday, March 28, 2013 10:08 AM
Points: 37,
Visits: 106
From a SQL server standpoint,
SQL server passwords are inherently less secure than Windows authentication; you can use a brute force/dictionary attach to attempt to get SQL server access. Windows Authentication means you've logged in securely on the domain, so you are able to pass a trusted token around instead of exposing your password.
SQL authentication is disabled, by default, on a new SQL installation for that specific security reason.
Ohh ... but both my accounts are domain accounts. One account, I can access email, internet, etc but not SQL Server. Another account, I can access SQL Server, well internet as well; but not emails.
So my thoughts here are when there's an issue, I would log in to domain account #1; read my emails / problems. Then, log off, and log on to domain account #2 to get to MSSQL to fix the issue. And if there are follow up emails that I may need; then I'll log out of domain account #2 and log on to domain account #1 to get the emails ... and back and forth. And on the same machine!!!
So here I am wondering ... how viable is that plan? And what are the possibilities that virus / malware transmits from desktop through SSMS to MSSQL server?
I agree it could be a little of both. Many shops use two accounts in AD - one admin level account and one is a user level account. AV software and malware detection software should help with the malware concern.
Ohh ... my "secure" account doesn't have any groups - only Domain User. So it's not an admin account whatsoever. Just that username is being added as sysadmin in MSSQL
Post #1403072
SQLRNNR
SQLRNNR
Posted Friday, January 04, 2013 12:47 PM
SSCoach
Group: General Forum Members
Last Login: 2 days ago @ 1:46 PM
Points: 18,732,
Visits: 12,329
There is an option that does not require you to to log on and off and back and forth.
Create an SSMS shortcut that relies on the Runas and specify your other account in the runas parameters.
Another option is to create a little powershell script and place it on the desktop (or someplace usable). Have the powershell script launch ssms and prompt for account and password.
Then you will not need to login or out between the two accounts.
This also illustrates the stupidity part of the reason for the second account. You will have access to email and SSMS from the same windows session.
Jason
AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server 2008
SQL RNNR
Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1403075
MSSQL_NOOB
MSSQL_NOOB
Posted Friday, January 04, 2013 1:44 PM
SSC Rookie
Group: General Forum Members
Last Login: Thursday, March 28, 2013 10:08 AM
Points: 37,
Visits: 106
Create an SSMS shortcut that relies on the Runas and specify your other account in the runas parameters.
Another option is to create a little powershell script and place it on the desktop (or someplace usable). Have the powershell script launch ssms and prompt for account and password.
gosh ... I love your idea! How do I thank you. These are awesome suggestions.
Edit: Found http://www.sevenforums.com/tutorials/164915-run-different-user-shortcut-create-specified-program-user.html
Totally defeats the security "clean system" but works like a CHARM!!!
But hey, same desktop, different username isn't exactly "clean system" anyway.
Post #1403100
« Prev Topic
|
Next Topic »
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
