Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 123»»»

SQL Server Security: Pros and Cons of Application Roles Expand / Collapse
Author
Message
Posted Sunday, August 24, 2003 12:00 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Comments posted to this topic are about the content posted at http://www.sqlservercentral.com/columnists/bkelley/sqlserversecurityprosandconsofapplicationroles.asp

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #15594
Posted Tuesday, August 26, 2003 9:32 PM
SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Monday, February 11, 2008 6:54 PM
Points: 469, Visits: 3
Fair coverage of the issues. We're in the process of creating a new system running on SQL Server and ARs are the only way I could see to sensibly enforce security. We've hit the issue of cross-database access, but in a way it was good as the developer was calling xp_cmdshell which was going to introduce more problems than it solved.

SJT



SJT
Post #76349
Posted Tuesday, August 26, 2003 9:43 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
The issue with cross-database access also applies to cross-database ownership chaining with respect to valid users. If a login doesn't have a valid user in a second database (and guest isn't enabled), they'll still be blocked. So it shows up again and again in the SQL Server security model.xp_cmdshell? *shudder* There is a reason it's not given out by default.

K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #76350
Posted Wednesday, August 27, 2003 8:05 AM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Monday, October 6, 2014 1:56 PM
Points: 649, Visits: 209
We hit another “gotcha” with connection pooling with a web application a long time back.

The ASPs called a DLL that uses SQL authentication (I know, I know) to access the database. We implement all database access through stored procedures, but there was this one routine where the developer decided to build and submit a SELECT statement within a stored procedure. Rather than harass him to do it differently I set up an application role with access rights to support the query, and the application acitvated the role if and as necessary.

This, however, messed up other ASP pages, as the application role didn’t have execute stored procedure rights (as I am always harsh over database access privileges), but it took a while to figure out. Say we had 20 connections open in the pool to support the web site; at any point in time, 0 to 20 of them could be working under the context of this application role, and this status is “undetectable” by the pool manager. It’d assign a connection based on server, login, database (and/or whatever else), but was completely unaware of application role status, resulting in a connection being assigned with inappropriate rights.

In the end I dumped the application role and harassed the developer to change his code. If there were a way to “undo” or roll back the application role setting, this would not have been a problem.

Philip





Post #76351
Posted Wednesday, August 27, 2003 8:14 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
quote:
In the end I dumped the application role and harassed the developer to change his code. If there were a way to “undo” or roll back the application role setting, this would not have been a problem.

I agree wholeheartedly. While a simple stored procedure can reset client settings, nothing exists to reset an app role back to the base user. Not sure why as it would make resource pooling more friendly.

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #76352
Posted Wednesday, August 27, 2003 10:20 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 6:53 PM
Points: 31,177, Visits: 15,623
Nicely written Brian and shares many of my same views. I've tended to handle inappropriate access (like not using the applicaiton) administratively. A chewing out, a writeup, or a termination if people see the need to use Access or some other tool to change data.

However, I'm curious about a couple things. What if you used a "shared login" for all users that had minimal right before invoking the app role? Would that eliminate one of the cons?

Also, for pooling issues, an app could potentially just hold a connection open. For quite a few client/server apps, this might make sense. Alternatively, you could set a semaphore of some sort in the app when the role is invoked and not reissue "sp_setapprole" if the semaphore is set. A simple check could determine "which role" you had.

Lastly, not sure the server roles item applies for this. The apps where we want to prevent access wouldn't usually have server roles for someone. There are exceptions, but not sure they're enough to mark this as a "con", more as an FYI.

Again, great article.

Steve Jones
sjones@sqlservercentral.com
http://www.sqlservercentral.com/columnists/sjones
www.dkranch.net







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #76353
Posted Wednesday, August 27, 2003 12:33 PM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: 2 days ago @ 2:47 PM
Points: 165, Visits: 380
quote:
I'll try and be fair and balanced in this article, but I've provided this disclaimer in case I'm not.



I think Fox News will be starting another lawsuit because you used the phrase "fair and balanced." First Al Franken, now Brian Kelley...




Post #76354
Posted Wednesday, August 27, 2003 12:39 PM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873

Funny you mentioned that.  I read the judge's comments and I don't think my article could in any way be construed with O'Reilly so I think I'm safe. If not, us DBAs aren't exactly full of money so it's like trying to squeeze blood out of a turnip.

 



K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #76355
Posted Tuesday, September 2, 2003 12:03 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, October 9, 2014 10:42 AM
Points: 6,731, Visits: 8,480
With Standard VB6 it needs a normal login-procedure and the a switch to the
application-role executing the sp_setapprole.

Is there a .Net-framework-based integration for SQLServer application roles?
If not : are application roles obsolete ?




Johan


Don't drive faster than your guardian angel can fly ...
but keeping both feet on the ground won't get you anywhere

- How to post Performance Problems
- How to post data/code to get the best help


- How to prevent a sore throat after hours of presenting ppt ?


"press F1 for solution", "press shift+F1 for urgent solution"


Need a bit of Powershell? How about this

Who am I ? Sometimes this is me but most of the time this is me
Post #76356
Posted Monday, March 27, 2006 2:34 PM


SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 8:15 PM
Points: 2,832, Visits: 8,508

We're thinking of using application roles, but I don't quite get how to give it permissions.  We currently have a sql login that's being used & abused. It has dbo access, and I want to use an app role that also has dbo access so that it can create work tables via an application. I can see how to grant access to specific tables and SPs, but I don't want to have to manually manage specific objects.

What am I missing ?




Post #268779
« Prev Topic | Next Topic »

Add to briefcase 123»»»

Permissions Expand / Collapse