|
|
|
SSChampion
Group: Administrators
Last Login: Today @ 8:44 PM
Points: 23,132,
Visits: 6,900
|
|
|
|
|
|
SSCrazy
Group: General Forum Members
Last Login: Today @ 9:09 PM
Points: 2,398,
Visits: 1,849
|
|
I seem to remember in the long long ago that there were three options in sql 6.0 and 6.5 where you could chose windows, sql, or mixed..
I don't really see a reason to remove windows security, instead I would advocate that for the vast majority of instances you should be using windows security over sql security.
CEWII
--------------------------------
Having trouble figuring out what jobs are running in SQL Server at the same time.
Try Sql Job History Visualization
It lets you view your SQL Job history on an Outlook style calendar..
|
|
|
|
|
SSC Journeyman
Group: General Forum Members
Last Login: Thursday, February 18, 2010 7:27 AM
Points: 82,
Visits: 67
|
|
| Recommended or not. This is what the auditors want in a corporate world. To prevent network administrator access. I have not upgraded from SQL2000 yet. Busy planning and playing with SQL2008, but as far as I understand, it is possible to do just that?
|
|
|
|
|
Mr or Mrs. 500
Group: General Forum Members
Last Login: Monday, March 08, 2010 7:44 AM
Points: 551,
Visits: 310
|
|
| Don't think I'd like just sql Authentication... If I were to have a third option I'd go with requiring both sql and windows authentication (not sql or windows)...
|
|
|
|
|
Mr or Mrs. 500
Group: General Forum Members
Last Login: Monday, March 08, 2010 7:44 AM
Points: 551,
Visits: 310
|
|
Ok I'm confusing myself here between authentication and authorisation... which I always do... What I mean is that I'd like to see sql server require both windows and sql authorisation. (obviously you can't do this without both sql and windows authentication)... But basically I don't want anyone connecting to my data who isn't on my domain and hasn't put a password in. Is this too much to ask?
|
|
|
|
|
SSC Eights!
Group: General Forum Members
Last Login: Wednesday, March 10, 2010 4:35 AM
Points: 809,
Visits: 1,923
|
|
Japie Botma (11/20/2009)
Recommended or not. This is what the auditors want in a corporate world. To prevent network administrator access.
I agree, and I must admit there are one or two instances where I'd like it too. I know it's possible to amend the security of a SQL server so the built in Administrators group doesn't automatically have God rights, but it's still a mighty big assumption that any of your AD admins should have access to do anything with corporate databases by default. In my experience, few people with the skills to administer an Active Directory domain also have the skills necessary to be an effective DBA.
Semper in excretia, sumus solum profundum variat
|
|
|
|
|
SSC Journeyman
Group: General Forum Members
Last Login: Tuesday, January 26, 2010 10:56 AM
Points: 82,
Visits: 187
|
|
I think you are missing the scenario where you have three (or more) equal partners: one company hosting the database, a second owning the data, and a third owning the software.
Obviously, the owner of the hardware may require access at the OS level, but the owner of the data may not want their host to be able to read that content, and the software vendor will not want anyone else having access to their code, so the simplest solution is to turn off access via Windows passwords - it is hard to think of any non-Microsoft software product that makes Windows authentication mandatory.
Throw away your pocket calculators; visit www.calcResult.com
|
|
|
|
|
Mr or Mrs. 500
Group: General Forum Members
Last Login: Monday, March 08, 2010 7:44 AM
Points: 551,
Visits: 310
|
|
majorbloodnock (11/20/2009)
Japie Botma (11/20/2009)
Recommended or not. This is what the auditors want in a corporate world. To prevent network administrator access.I agree, and I must admit there are one or two instances where I'd like it too. I know it's possible to amend the security of a SQL server so the built in Administrators group doesn't automatically have God rights, but it's still a mighty big assumption that any of your AD admins should have access to do anything with corporate databases by default. In my experience, few people with the skills to administer an Active Directory domain also have the skills necessary to be an effective DBA.
I think you are missing the poiint... Windows authentication is just that... authentication. It tells sql server that you are one of a group of people authorised to work on a network... Thus it is not just possible to amemd the security of a sql server it is crucial... You don't control access to your data via authentication you do it through the various security roles schemas etc that you set up within your server which authorise access...
The point however is that if you remove windows authentication you remove the possibility of an extra layer of security because if a user just has a sql password how do you know they are an authenticated user on your network? That may not matter in all instances but why would you really want to remove it?
|
|
|
|
|
SSCommitted
Group: General Forum Members
Last Login: Today @ 9:06 AM
Points: 1,911,
Visits: 1,435
|
|
Maybe I'm smoking something, but isn't SQL Server--and many things it now does--so tightly integrated into the OS that if Windows Authentication were removeable, it would break most of SQL Server?
Think about it. Now IIS is required for SQL Server. Now we have CLR assemblies, Service Broker, and the new SSIS. Not to mention the .Net Framework stuff. What would turning off Windows Authentication do to those?
Now to Steve's comment about being worried that an ISV didn't know about this issue. This question comes up every couple of months. It's so pervasive that ISTR it being on one of the DBA exams somewhere (probably where the original poster got the idea). And a lot of ISVs are guilty of using the SA account for their programs without verifying what permissions are actually needed for their stuff to run. In fact, ISVs have caused no end of problems for DBAs by insisting they need the highest level of available security.
So why are we surprised that they don't understand the authentication methodology if they don't even understand how basic security works?
That's not to say all ISVs are evil or bad. I used to work for one. You have ISVs owned by people like Brian Knight. That boy don't kid around. He knows his SQL Server and is not very likely to force some poor unsuspecting client to give him SA access "just because." Then you have ISVs like the one I used to work for one. As they lived off the profits of maintenance agreements and designer upgrades, they couldn't exactly afford the best of the best. In some areas of SQL Server, I knew more than they did. And I was just a rookie at the time.
Before I agree to want functionality like this, I want a list from Microsoft of everything that would be affected when Windows Auth is "turned off." Then I'll decide if I really want the capability or not.
Brandie Tarvin, MCITP Database Administrator, MCDBA, MCSA
Webpage: http://www.BrandieTarvin.net
LiveJournal Blog: http://brandietarvin.livejournal.com/
Now a member of LinkedIn!
Contributing Author: Transformers: Legends, Pirates of the Blue Kingdoms, Blue Kingdoms: Shades & Specters
|
|
|
|
|
Forum Newbie
Group: General Forum Members
Last Login: Friday, November 20, 2009 10:02 AM
Points: 3,
Visits: 12
|
|
| The responses so far are, typically, M$-centric...as if nothing exists outside of the AD domain where the SQL server resides that would ever require access to data in the database. Really folks, you need to take the blinders off once in a while.
|
|
|
|
