Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Limiting applications - discussion Expand / Collapse
Author
Message
Posted Wednesday, April 1, 2009 2:10 PM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Wednesday, June 6, 2012 6:49 AM
Points: 249, Visits: 140
For SQL Server 2005 and SQL Server 2008.

We found an enterprising user that made his own ODBC, used his OS/authentication that an existing application uses, and created his own access database application. No malicious intent, just trying to do things (he thought) better and faster.

Lets leave out "Don't allow ODBC's to be created" discussion.

Are there different methods so "MyApplication" with "domain\userFred" is the only way Fred has access to the database? The vendor application ONLY uses authenticated user access. Some users are explicitly listed in the database, others are in domain groups.

Also, any way to do this in sql 2000? SQL 2000 is not an issue right now, but could be.

Thanks,
Joseph



Post #688337
Posted Wednesday, April 1, 2009 2:23 PM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Thursday, July 24, 2014 9:07 AM
Points: 11,157, Visits: 12,899
IN 2005 and 2008 you could use a LOGON TRIGGER and check the application name, but be aware that this can be passed as part of the connection string so your real application can be spoofed.

I don't know of a way to do this in 2000.

Scenarios like this is why I don't believe in granting direct table access. If everything is done with SP's, Views, and UDF's then the users can't do this.




Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
Post #688353
Posted Wednesday, April 1, 2009 3:26 PM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Today @ 2:37 PM
Points: 2,828, Visits: 3,012
In SQL 2000 you could write a script using sp_who2 and create a job to run every min and kill connections where ProgramName like 'Microsoft Office%'. That's a pretty hokey way to do things.

In 2008 you can use resource governor to limit CPU and memory by application and limit Microsoft Office to 1% of each so they can't hog resources. This of course doesn't keep them from using MS Access.

Just throwing out a couple ideas.
Post #688417
Posted Wednesday, April 1, 2009 3:34 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 12:57 PM
Points: 7,042, Visits: 12,974
Did you look into application roles?

Brian Kelley's article below pretty much describes your scenario. Maybe it's an option, even with all the con's...
http://www.sqlservercentral.com/articles/Security/sqlserversecurityprosandconsofapplicationroles/1116/




Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
Post #688426
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse