SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


AD group has dbowner access to DB. How can I stop users from accessing from outside the application....


AD group has dbowner access to DB. How can I stop users from accessing from outside the application.

Author
Message
David C Young
David C Young
SSC Journeyman
SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)

Group: General Forum Members
Points: 90 Visits: 75
What am I missing. An application uses the users AD ID to execute against the database (read, write, create temp tables, execute procs). The users are all part of a single AD group and that group is granted dbowner access. (I have no control over the 3rd party application). How can I prevent these same users from accessing the database via any other application? With dbowner access they could access via SSMS, Toad or any number of other programs and do who knows what. All they need to know is the server name.
Evil Kraig F
Evil Kraig F
SSC-Insane
SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)SSC-Insane (20K reputation)

Group: General Forum Members
Points: 20493 Visits: 7660
You don't. You've opened the floodgates.

However, there's a hardware mechanism you can use if you've got a centralized N-Tier and these users aren't running the app off their PCs. Firewall your SQL Server and only allow particular IPs to access it, and then open up those IPs that the application/N-Tier resides on.


- Craig Farrell

Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.

For better assistance in answering your questions | Forum Netiquette
For index/tuning help, follow these directions. |Tally Tables

Twitter: @AnyWayDBA
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (24K reputation)

Group: Moderators
Points: 24752 Visits: 1917
If there are other DBs which are legitimately accessible by users, you can't.

If there aren't, and if you can authorization to modify your firewall policy on the server, then look at firewalling off connections from everything but the DBAs and the app servers. Of course, if the DBAs aren't in their own vLAN, then this may not be an option, either.

The question I have is why does a group have dbowner access? Is this required of the app? If so, have you pushed back with the developer of the app?

K. Brian Kelley
@‌kbriankelley
David C Young
David C Young
SSC Journeyman
SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)

Group: General Forum Members
Points: 90 Visits: 75
It is required by the app and yes I have pushed back but gotten nowhere. Even if they weren't I would still have an access issue. Looking at the firewall option.
Lowell
Lowell
SSC Guru
SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)SSC Guru (71K reputation)

Group: General Forum Members
Points: 71372 Visits: 40930
from the TSQL side, you could create a logon trigger that checks the application name and the login name both.

you could make sure the login is using a specific application name, or the opposite: the login is using something it shouldn't be.

while you could rollback their connection, i might consider just monitoring non-compliance and reporting violators.

here's just one example of the many logon trigger examples found here in the forums:
http://www.sqlservercentral.com/Forums/Topic1199139-149-1.aspx#bm1199153

Lowell
--help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!
David C Young
David C Young
SSC Journeyman
SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)SSC Journeyman (90 reputation)

Group: General Forum Members
Points: 90 Visits: 75
Thanks, this looks like something that will work for us.
GilaMonster
GilaMonster
SSC Guru
SSC Guru (223K reputation)SSC Guru (223K reputation)SSC Guru (223K reputation)SSC Guru (223K reputation)SSC Guru (223K reputation)SSC Guru (223K reputation)SSC Guru (223K reputation)SSC Guru (223K reputation)

Group: General Forum Members
Points: 223348 Visits: 46297
Bear in mind though it's trivial to spoof the application name.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


Perry Whittle
Perry Whittle
SSC Guru
SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)SSC Guru (53K reputation)

Group: General Forum Members
Points: 53721 Visits: 17672
I use a logon trigger for situations similar to this

-----------------------------------------------------------------------------------------------------------

"Ya can't make an omelette without breaking just a few eggs" ;-)
kevaburg
kevaburg
SSCarpal Tunnel
SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)SSCarpal Tunnel (4.5K reputation)

Group: General Forum Members
Points: 4463 Visits: 1025
Try creating a second AD Group and assigning the users you don't want to have db_owner access to that new group. Assign new permissions to the database via the group level and the problem is resolved.

At lease, if I understood the problem correctly.....

We had a similar problem whereby an application had to have SYSADMIN rights on the instance and DB_OWNER on the database. It wasn't negotiable and the vendor wasn't prepared to rewrite their code.

We didn't buy the App.
crmitchell
crmitchell
Ten Centuries
Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)Ten Centuries (1.3K reputation)

Group: General Forum Members
Points: 1260 Visits: 1793
I suppose you could set the application up to use a different account and set a windows shortcut to the application to run it as that account. Expect lots of support issues from users who redo their shortcuts though.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search