Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Application user group security Expand / Collapse
Author
Message
Posted Monday, August 5, 2013 9:15 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 10, 2014 10:30 AM
Points: 2, Visits: 28
Greetings everyone,
I was wondering if you could help me with some suggestions on how to increase the security around my SQL 2008 R2 database server.
I currently have a third party application that uses a domain group (xxx\APP_ReadGroup) for authentication, in order for the application to access the database that same domain group requires db_reader to the database. I cannot change how the application is written so I cannot assign a SQL account that the application would use to read the database.

I'm trying to prevent users that are in the domain group from opening an ODBC connection and viewing the underlying tables and data.

Any thoughts or recommendations?


Thanks
-Mike
Post #1480963
Posted Monday, August 5, 2013 10:04 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 10, 2014 10:30 AM
Points: 2, Visits: 28
I already have the instance running on a non-default port.
Post #1480985
Posted Monday, August 5, 2013 1:47 PM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Thursday, August 21, 2014 3:04 PM
Points: 801, Visits: 715
So that application is a two-tier application and users are members of that group?

In that case, your only option is to put the application on Terminal Server/Citrix etc, so that when users log in on the TS, they directly get into the application with no possibility to get out. Furthermore, the network admin needs to segment the network, so that users cannot access SQL Server from their desktops; SQL Server is only visible from that terminal server.


Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1481067
Posted Wednesday, August 21, 2013 9:48 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: 2 days ago @ 9:23 AM
Points: 7,098, Visits: 12,605
Do you control the connection string the application uses? If yes, are the users in the group prevented from seeing the connection string either due to the architecture or the fact that the information is compiled into the app or in an encrypted config file? If yes again then you could add an application name to the connection string and setup a login trigger to deny logins unless the application name were what the application had setup in its connection string. This is technically only an obfuscation, not security, but it could tighten things up a little.

Hosting the app in a virtual desktop environment, preventing the use of client tools in that environment, and locking down access to the instance using network segmentation is a complete solution.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1487034
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse