Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Limiting applications - discussion


Limiting applications - discussion

Author
Message
devereauxj
devereauxj
SSC Veteran
SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)SSC Veteran (249 reputation)

Group: General Forum Members
Points: 249 Visits: 140
For SQL Server 2005 and SQL Server 2008.

We found an enterprising user that made his own ODBC, used his OS/authentication that an existing application uses, and created his own access database application. No malicious intent, just trying to do things (he thought) better and faster.

Lets leave out "Don't allow ODBC's to be created" discussion.

Are there different methods so "MyApplication" with "domain\userFred" is the only way Fred has access to the database? The vendor application ONLY uses authenticated user access. Some users are explicitly listed in the database, others are in domain groups.

Also, any way to do this in sql 2000? SQL 2000 is not an issue right now, but could be.

Thanks,
Joseph



Jack Corbett
  Jack Corbett
SSChampion
SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)SSChampion (11K reputation)

Group: General Forum Members
Points: 11014 Visits: 14858
IN 2005 and 2008 you could use a LOGON TRIGGER and check the application name, but be aware that this can be passed as part of the connection string so your real application can be spoofed.

I don't know of a way to do this in 2000.

Scenarios like this is why I don't believe in granting direct table access. If everything is done with SP's, Views, and UDF's then the users can't do this.



Jack Corbett

Applications Developer

Don't let the good be the enemy of the best. -- Paul Fleming
At best you can say that one job may be more secure than another, but total job security is an illusion. -- Rod at work

Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
How to Post Performance Problems
Crosstabs and Pivots or How to turn rows into columns Part 1
Crosstabs and Pivots or How to turn rows into columns Part 2
JeremyE
JeremyE
Hall of Fame
Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)Hall of Fame (3.7K reputation)

Group: General Forum Members
Points: 3720 Visits: 4028
In SQL 2000 you could write a script using sp_who2 and create a job to run every min and kill connections where ProgramName like 'Microsoft Office%'. That's a pretty hokey way to do things.

In 2008 you can use resource governor to limit CPU and memory by application and limit Microsoft Office to 1% of each so they can't hog resources. This of course doesn't keep them from using MS Access.

Just throwing out a couple ideas.
LutzM
LutzM
SSCertifiable
SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)SSCertifiable (7K reputation)

Group: General Forum Members
Points: 7001 Visits: 13559
Did you look into application roles?

Brian Kelley's article below pretty much describes your scenario. Maybe it's an option, even with all the con's...
http://www.sqlservercentral.com/articles/Security/sqlserversecurityprosandconsofapplicationroles/1116/



Lutz
A pessimist is an optimist with experience.

How to get fast answers to your question
How to post performance related questions
Links for Tally Table , Cross Tabs and Dynamic Cross Tabs , Delimited Split Function
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search