Application user group security

  • Greetings everyone,

    I was wondering if you could help me with some suggestions on how to increase the security around my SQL 2008 R2 database server.

    I currently have a third party application that uses a domain group (xxx\APP_ReadGroup) for authentication, in order for the application to access the database that same domain group requires db_reader to the database. I cannot change how the application is written so I cannot assign a SQL account that the application would use to read the database.

    I'm trying to prevent users that are in the domain group from opening an ODBC connection and viewing the underlying tables and data.

    Any thoughts or recommendations?

    Thanks

    -Mike

  • I already have the instance running on a non-default port.

  • So that application is a two-tier application and users are members of that group?

    In that case, your only option is to put the application on Terminal Server/Citrix etc, so that when users log in on the TS, they directly get into the application with no possibility to get out. Furthermore, the network admin needs to segment the network, so that users cannot access SQL Server from their desktops; SQL Server is only visible from that terminal server.

    [font="Times New Roman"]Erland Sommarskog, SQL Server MVP, www.sommarskog.se[/font]

  • Do you control the connection string the application uses? If yes, are the users in the group prevented from seeing the connection string either due to the architecture or the fact that the information is compiled into the app or in an encrypted config file? If yes again then you could add an application name to the connection string and setup a login trigger to deny logins unless the application name were what the application had setup in its connection string. This is technically only an obfuscation, not security, but it could tighten things up a little.

    Hosting the app in a virtual desktop environment, preventing the use of client tools in that environment, and locking down access to the instance using network segmentation is a complete solution.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply