SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Layers of Security


Layers of Security

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: Administrators
Points: 65988 Visits: 19120
Comments posted to this topic are about the item Layers of Security

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
IceDread
IceDread
Mr or Mrs. 500
Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)Mr or Mrs. 500 (539 reputation)

Group: General Forum Members
Points: 539 Visits: 1145
I have to agree, it's a mess to configure firewalls. Thou I've only configured my personal ones.

One time I started out sending an email to the internet service provider I had, asking which protocols and ports they needed open for me to get internet. They didnt know! I started out hard, blocking a bit too much so I didnt even get the packages from the isp that gave me my ip address.. It is a mess and last i checked it was not that easy to find out all the information one should have.
sturner
sturner
SSCrazy
SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)

Group: General Forum Members
Points: 2302 Visits: 3259
Agreed, though I wonder how many DBAs actually have the authority to set the rules involving database security policies or even set standards for developers and insist that they be followed in all projects? Not many probably (I certainly don't).

The probability of survival is inversely proportional to the angle of arrival.
djackson 22568
djackson 22568
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1325 Visits: 1220
OK Steve, you have me interested. I consider SQL Security to be as complex as anything I have seen. I have zero issues configuring my Windows server to be as secure as possible. I think I know enough to do things right, but I don't know "why" to choose one selection over another. Vendors still push for "sa" accounts for access and there is little I can do when I am told to implement a system with that poor of a design, but there are systems that I have more control over. The article above yours mentions "teaching a man (woman) to fish".

What do you suggest as the best resource for security in SQL Server 2008 R2?

Preferably a nice set of articles like the ones SQLServerCentral is doing for SSRS, or how about a good book, maybe even a blog somewhere?

Even those of us who consider themselves experts in this vein should benefit by reading more about it. For those of us who struggle with it, good information can be trememndous. I know BO has information, but to me that is more of a reference, and useful once you know what you want to do. A good primer, followed by good detail, is usually easier for most of us to pick up.

Dave

Dave
Steve Jones
Steve Jones
SSC Guru
SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)SSC Guru (65K reputation)

Group: Administrators
Points: 65988 Visits: 19120
djackson 22568 (12/6/2011)
Vendors still push for "sa" accounts for access and there is little I can do when I am told to implement a system with that poor of a design, but there are systems that I have more control over.


I've had a few vendors ask for SA in the past. Digging in, we found they wanted SA because a) that's what they always use, and b) because they wanted to create logins or run a job from the application.

We could easily do the "create" logins from SSMS (or EM in that case) and the application would see them. We could also grant rights to run jobs without giving SA. Some vendors want SA, but don't really even know why they have that requirement.


What do you suggest as the best resource for security in SQL Server 2008 R2?

Preferably a nice set of articles like the ones SQLServerCentral is doing for SSRS, or how about a good book, maybe even a blog somewhere?

Even those of us who consider themselves experts in this vein should benefit by reading more about it. For those of us who struggle with it, good information can be trememndous. I know BO has information, but to me that is more of a reference, and useful once you know what you want to do. A good primer, followed by good detail, is usually easier for most of us to pick up.

Dave


We are working on a security stairway series, but it's tough to get one done. For now, I would recommend a couple resources:

Securing SQL Server: http://www.amazon.com/gp/product/1597496251?ie=UTF8&tag=redgatsof-20&linkCode=as2&camp=1789&creative=9325&creativeASIN=1597496251
Hardening SQL Server: http://www.sqlmag.com/article/sql-server/Hardening%20SQL%20Server-135858

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search