SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


VPN access for vendor, multiple instance


VPN access for vendor, multiple instance

Author
Message
NJDave
NJDave
Old Hand
Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)Old Hand (355 reputation)

Group: General Forum Members
Points: 355 Visits: 598
Hello

I have a request to allow a vendor to have VPN access to my SQL Server that currently has one default instance.

The default instance contains multiple databases for multiple agencies - this creates a security concern.

Is it possible to create a second instance and only allow the vendor access to that second instance through VPN?

Is it possible to give a vendor VPN access but restrict their access to anything else but their database?

Thanks in advance
Dave
Lowell
Lowell
SSC Guru
SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)

Group: General Forum Members
Points: 71116 Visits: 40924
NJDave (11/19/2012)
Hello

I have a request to allow a vendor to have VPN access to my SQL Server that currently has one default instance.

The default instance contains multiple databases for multiple agencies - this creates a security concern.

Is it possible to create a second instance and only allow the vendor access to that second instance through VPN?

no need for additional instances...you can limit access simply by giving the vendor one login, that has a matching user in only a single database.

Is it possible to give a vendor VPN access but restrict their access to anything else but their database?

Thanks in advance
Dave



Remember SQL is deny by default, meaning if you don't explicitly give them access to something , whether by adding them to roles or mistakenly granting sysadmin privileges, they simply cannot access something that you diidn't give them.

I would create a user for your vendor , say VENDORACCESS, and that is the user they can use to access the database in question;


Create LOGIN [VendorAccess] WITH PASSWORD='NotTheRealPassword'

USE [WHATEVER]
Create USER [VendorAccess] FOR LOGIN [VendorAccess]
CREATE ROLE [AlmostOwners]
EXEC sp_addrolemember N'db_ddladmin', N'AlmostOwners'
EXEC sp_addrolemember N'db_datareader', N'AlmostOwners'
EXEC sp_addrolemember N'db_datawriter', N'AlmostOwners'
--can the users EXECUTE procedures? comment out if false
GRANT EXECUTE TO [AlmostOwners]
--allow the users to see view proc and function definitions
Grant View Definition ON SCHEMA::[dbo] To [AlmostOwners]

--finally add our user to the role:
EXEC sp_addrolemember N'AlmostOwners', N'VendorAccess'



Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!
Orlando Colamatteo
Orlando Colamatteo
SSC-Dedicated
SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)SSC-Dedicated (39K reputation)

Group: General Forum Members
Points: 39266 Visits: 14411
Lowell has covered the database-level concerns well. All I'll add, at the server-level, is if you are concerned about the new vendor seeing databases other than their own when using the SSMS Object Explorer you can deny the VIEW ANY DATABASE permission. The permission is granted to all logins via the public Role at the server-level, and all logins inherit that permission by default because all logins are permanent members of public:

DENY VIEW ANY DATABASE TO [TheNewLogin];



edit: it's worth mentioning that you can also DENY or REVOKE the permission from public but that's a more drastic measure

The DENY on the login object will supercede the GRANT offered by the login's membership in public but it also means the login will not even see databases in Object Explorer that they legitimately can access. This means they'll have to know the database's name to change contexts into it in a query window using:

USE [DatabaseName];



Personally I would like for there to be an option to have Object Explorer only show the databases a login can potentially access, as opposed to all or none:

Connect > Can't see database with Object Explorer

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Hemant.R
Hemant.R
Old Hand
Old Hand (364 reputation)Old Hand (364 reputation)Old Hand (364 reputation)Old Hand (364 reputation)Old Hand (364 reputation)Old Hand (364 reputation)Old Hand (364 reputation)Old Hand (364 reputation)

Group: General Forum Members
Points: 364 Visits: 240
It is possible to give VPN access to SQL Server that currently has one default instance.

please check,how he connecting to sql server .if he using sql client component or taking access of entire server aceess.

create low priviledge windows login then map that login to particular database which he want to access.Bcoz as we all know windows authentication is more secure.

Is it possible to create a second instance and only allow the vendor access to that second instance through VPN?

yes.u can but plz check sql server browser service is not running .bcoz if it is running then it will show no of instances

please observed activity what time he is connecting .
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search