Can a malware on desktop affect the security of MSSQL?

  • Connecting to MSSQL 2000 using SSMS 2008

    My company's security expert claims that I need a different account to access MSSQL 2000 servers; disabled my domain account to all MSSQL databases and created a different domain account for my access to MSSQL databases. Is there a legitimate security concern with 1 domain account that can access email, internet, etc (and possibly malware / virus) passing it MSSQL databases just because I use Windows authentication on my SSMS 2008???

    Is this security or stupidity?

  • MSSQL_NOOB (1/4/2013)


    Is this security or stupidity?

    a little of both, i think.

    From a SQL server standpoint,

    SQL server passwords are inherently less secure than Windows authentication; you can use a brute force/dictionary attach to attempt to get SQL server access. Windows Authentication means you've logged in securely on the domain, so you are able to pass a trusted token around instead of exposing your password.

    SQL authentication is disabled, by default, on a new SQL installation for that specific security reason.

    covering the security hole by switching to SQL users/passwords potentially opens a different, larger hole.

    a virus scanner pretty much puts the issue to bed as far as malware, and that's the solution we prefer at my shop. (we use ESET NOD32 Antivirus)

    Lowell


    --help us help you! If you post a question, make sure you include a CREATE TABLE... statement and INSERT INTO... statement into that table to give the volunteers here representative data. with your description of the problem, we can provide a tested, verifiable solution to your question! asking the question the right way gets you a tested answer the fastest way possible!

  • Lowell (1/4/2013)


    MSSQL_NOOB (1/4/2013)


    Is this security or stupidity?

    a little of both, i think.

    I agree it could be a little of both. Many shops use two accounts in AD - one admin level account and one is a user level account. AV software and malware detection software should help with the malware concern.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • From a SQL server standpoint,

    SQL server passwords are inherently less secure than Windows authentication; you can use a brute force/dictionary attach to attempt to get SQL server access. Windows Authentication means you've logged in securely on the domain, so you are able to pass a trusted token around instead of exposing your password.

    SQL authentication is disabled, by default, on a new SQL installation for that specific security reason.

    Ohh ... but both my accounts are domain accounts. One account, I can access email, internet, etc but not SQL Server. Another account, I can access SQL Server, well internet as well; but not emails.

    So my thoughts here are when there's an issue, I would log in to domain account #1; read my emails / problems. Then, log off, and log on to domain account #2 to get to MSSQL to fix the issue. And if there are follow up emails that I may need; then I'll log out of domain account #2 and log on to domain account #1 to get the emails ... and back and forth. And on the same machine!!!

    So here I am wondering ... how viable is that plan? And what are the possibilities that virus / malware transmits from desktop through SSMS to MSSQL server?

    I agree it could be a little of both. Many shops use two accounts in AD - one admin level account and one is a user level account. AV software and malware detection software should help with the malware concern.

    Ohh ... my "secure" account doesn't have any groups - only Domain User. So it's not an admin account whatsoever. Just that username is being added as sysadmin in MSSQL

  • There is an option that does not require you to to log on and off and back and forth.

    Create an SSMS shortcut that relies on the Runas and specify your other account in the runas parameters.

    Another option is to create a little powershell script and place it on the desktop (or someplace usable). Have the powershell script launch ssms and prompt for account and password.

    Then you will not need to login or out between the two accounts.

    This also illustrates the stupidity part of the reason for the second account. You will have access to email and SSMS from the same windows session.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Create an SSMS shortcut that relies on the Runas and specify your other account in the runas parameters.

    Another option is to create a little powershell script and place it on the desktop (or someplace usable). Have the powershell script launch ssms and prompt for account and password.

    gosh ... I love your idea! How do I thank you. These are awesome suggestions.

    Edit: Found http://www.sevenforums.com/tutorials/164915-run-different-user-shortcut-create-specified-program-user.html

    Totally defeats the security "clean system" but works like a CHARM!!! 😉

    But hey, same desktop, different username isn't exactly "clean system" anyway.

Viewing 6 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic. Login to reply