SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
Search:  
 
Home Articles Editorials Forums Scripts Videos Blogs QotD Books Ask SSC SQL Jobs Training Authors About us Contact us Newsletters Advertise Write for us


 

Tim Mitchell

Tales of my travels through SQL Server
Add to Technorati Favorites Add to Google
Author Bio
Tim Mitchell is a Microsoft SQL Server consultant, developer, speaker, and trainer. He has been working with SQL Server for over 6 years, working primarily in database development, business intelligence, ETL/SSIS, and reporting. You can find his complete profile at TimMitchell.net.
June 2006 - Posts

Be on the lookout for the mistakes of others

By Tim Mitchell in Tim Mitchell 06-15-2006 8:39 PM | Categories:
Rating: (not yet rated) Rate this |  Discuss | 2,543 Reads | 48 Reads in Last 30 Days |5 comment(s)

I've come to learn that there are some really flaky systems out there.  Not just a few quirks here and there, but significant problems that someone should have caught.

For example, I spent some time earlier this week consolidating two SQL Server machines into one.  Through this process, I had to evaluate the vendor app that interfaced with one of these databases.  In examining the configuration, I found that every user of the system was connecting through a static SQL user account - not a good idea, considering the merits of using Windows authentication, but not a critical problem.  However, what was a dealbreaker was that this common account used by all had been given db_owner priveliges.  Furthermore, the user ID and password of this db_owner account were stored in a configuration file on each machine!

The most appalling part of this was my call to the vendor.  I explained what I had found, and the account rep insisted that it had to be configured this way for the application to work properly.  More frightening, he didn't consider this setup a problem at all.  Despite this advice, I ended up doing some experimentation using Windows authentication and a diminished level of access.  Contrary to what the account rep told me, this setup worked just fine.

Now what I'm wondering is, at what step in the development project did it seem to be a good idea to allow anyone db_owner rights - and to put that login data directly on the client machine?  I will admit to taking some shortcuts during system development, but generally during the proof-of-concept phase.  How such a significant oversight like this could get past developers, DBAs and QA is beyond me.

Now had there been a compromise, I'm sure the software vendor would have been questioned about it, but we on the front lines would have borne the bulk of the mess.  The point is, we must always be alert to poorly designed systems - even if it's someone else's poor design.

 
 
Copyright © 2002-2009 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use