<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
Article Discussions
»
Article Discussions by Author
»
Discuss Content Posted by Andy Warren
»
The Case for SQL Logins - Part 1
76 posts, Page 1 of 8
1
2
3
4
5
»
»»
The Case for SQL Logins - Part 1
Rate Topic
Display Mode
Topic Options
Author
Message
Andy Warren
Andy Warren
Posted Sunday, June 16, 2002 12:00 AM
SSCertifiable
Group: Moderators
Last Login: Thursday, May 09, 2013 12:38 PM
Points: 6,462,
Visits: 1,384
Comments posted to this topic are about the content posted at
http://www.sqlservercentral.com/columnists/awarren/thecaseforsqlloginspart1.asp
>
http://www.sqlservercentral.com/columnists/awarren/thecaseforsqlloginspart1.asp
Andy
SQLShare - Learn One New Thing Each Day
SQLAndy - My Professional Blog
Connect with me on LinkedIn
Follow me on Twitter
Post #4851
marten_brege
marten_brege
Posted Monday, June 24, 2002 12:17 AM
SSC Rookie
Group: General Forum Members
Last Login: Thursday, January 31, 2008 8:31 AM
Points: 38,
Visits: 2
x
Edited by - marten_brege on 06/24/2002 12:18:05 AM
Post #35643
johnnypenet
johnnypenet
Posted Monday, June 24, 2002 1:01 AM
Forum Newbie
Group: General Forum Members
Last Login: Tuesday, August 24, 2004 7:38 AM
Points: 2,
Visits: 1
You got it right, even Microsoft push for this approach on ASP.NET. One SQL account, hidden for the user, for doing the job, and a table of users maintained by your application. By preference use the same usernames as in the domain. In this way you can use role based security, maintained by the domain. This is the approach in the ASP.NET, but it could easily be extended for other client / server applications.
Post #35644
Paul Thornett
Paul Thornett
Posted Monday, June 24, 2002 1:37 AM
SSC Rookie
Group: General Forum Members
Last Login: Wednesday, September 07, 2011 8:38 AM
Points: 28,
Visits: 96
While I agree completely with your comments about Windows authentication, I don't believe they go far enough.
Sql Server comes in many flavours, one of which is a Desktop version. I believe the very existence of this version of the product strongly implies that Microsoft expects, even encourages, us to develop bespoke databases for clients (and of course, the existence of the MSDE engine supports this inference).
In such an environment, I can expect to provide a tailored solution to one or more clients. Such a solution may involve software (programming), hardware (machines) and data (stored in databases <g>). The client may elect to allow a number of users some type of access to all or some of the data - including a mobile access requirement (e.g. for a travelling salesman to work on his numbers at night in his hotel room). Now, in order to meet this type of requirement, the client can make available a copy of the database to run under the Desktop version of Sql Server.
As the designer and implementor, I can impose whatever security my client desires. Perhaps his salesmen are to be denied access to one or more tables. But once the database has been copied to the salesman's machine, all existing Sql Server security has just gone out the window. Removing the BUILTIN/Administrators works only on the database machine on which you remove that login. By copying such a database to another machine, anyone who has administrative NT rights on that second machine instantly has unfettered access to the copied database (I've tested this by creating a test database and removing all access; as soon as I copied the database to another machine, all read/write access was restored).
Even humble old Microsoft Access does better than this with its user security. The problem lies in where Sql Server chooses to store its security information - i.e. not in the target database.
I have discussed this issue with various Microsoft technical people - once they understand the problem, they simply trot out the usual trite remarks about "there's no security without physical security". Even most of the Sql gurus don't seem to realize just how fatally flawed Sql Server is in this respect - I guess they're not really thinking of Sql Server being used in this way.
Imagine the howls of protest (and even the derision and laughter) that would ensue if Microsoft were to announce that anyone with NT administrative rights on _any_ machine would _automatically_ have similar rights over _all_ other NT machines!
--------
Paul Thornett
Post #35645
pauldurdin
pauldurdin
Posted Monday, June 24, 2002 3:18 AM
SSC-Enthusiastic
Group: General Forum Members
Last Login: Wednesday, September 28, 2005 5:57 AM
Points: 175,
Visits: 1
Well it's good to keep this topic under discussion. I agree that WA dosnt do anything for internet sites where there is a problem that has to be addressed.
However i use WA and application roles for all my intranet and internal apps because it allows me to switch people on and off easily, but dosnt give them any access to the database, apart from views & spocs that i explicitly give them. If an employee leaves he cannot even get onto the network and cannot connect to the database so knowledge of the app role password is not an issue after he has left.
App Roles are essential to controlling access to rows and columns, which (unless i've missed something) cant be done in SQL Server 7.
The problems with app roles are;
1. you have to store the role name & password somewhere. This can be dealt with as suggested in the article.
2. third party tools and components such as crystal reports dont support app roles - which is a serious drawback imo.
One ommision that i would like to see a solution to is being able to see the sum total of access that a user has via the various roles etc. E.g. User W has read permission on table X through role Y and role Z
Post #35646
Rayven
Rayven
Posted Monday, June 24, 2002 5:28 AM
Mr or Mrs. 500
Group: General Forum Members
Last Login: Wednesday, May 22, 2013 2:19 AM
Points: 575,
Visits: 346
Excellent article. We use SQL to back end intranet and web applications and NT security is pretty much useless for what we need.
Unless the operator somehow figures out how to set up an ODBC, work out the connection and the password, they can't access the data. If anyone needs data, it can always be extracted to a spreadsheet, or they can have a view designed for them
---------------------------------------
It is by caffeine alone I set my mind in motion.
It is by the Beans of Java that thoughts acquire speed,
the hands acquire shaking, the shaking becomes a warning.
It is by caffeine alone I set my mind in motion.
Post #35647
Andy Warren
Andy Warren
Posted Monday, June 24, 2002 6:01 AM
SSCertifiable
Group: Moderators
Last Login: Thursday, May 09, 2013 12:38 PM
Points: 6,462,
Visits: 1,384
Thank you all for your comments so far!
Andy
http://www.sqlservercentral.com/columnists/awarren/
Andy
SQLShare - Learn One New Thing Each Day
SQLAndy - My Professional Blog
Connect with me on LinkedIn
Follow me on Twitter
Post #35648
r3patel
r3patel
Posted Monday, June 24, 2002 6:13 AM
Grasshopper
Group: General Forum Members
Last Login: Thursday, January 10, 2013 12:12 PM
Points: 15,
Visits: 46
Thanks, very good article, makes me rethink about WA security (how safe is safe!!!!)
Post #35649
SueStill
SueStill
Posted Monday, June 24, 2002 6:34 AM
SSC Rookie
Group: General Forum Members
Last Login: Tuesday, April 07, 2009 12:55 PM
Points: 34,
Visits: 3
We tend to use WA because we also use groups to control software installation. The fact is, if you're using WA everywhere else, why change it. WA plus app roles provides enough control for us. Also, what about the transaction log? How do you know who's performing which transactions if you use a "service id"?
Post #35650
zacek@improve.cz
zacek@improve.cz
Posted Monday, June 24, 2002 6:59 AM
SSC Rookie
Group: General Forum Members
Last Login: Thursday, April 29, 2004 5:09 AM
Points: 40,
Visits: 1
WA or mixed is as good as DBA is.
The are lot of pro's and con's with each approach and no universal recommendation can be made. I assume that account lockout is excellent feature on sites which are often target to some attacks. In bookkeeping software is this feature unpleasant. You decide what is best in your deployment scenario and you have to try to guard the server whatever the security mode is.
We use WA as much as possible, but my issue is that SAP R/3 package does not support WA, so we have non-WA island in sea of WA, which makes me much more nervous because different support procedures, hotline etc.
Post #35651
« Prev Topic
|
Next Topic »
76 posts, Page 1 of 8
1
2
3
4
5
»
»»
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
