June 16, 2009 at 5:29 pm
We have a new app that supports both Windows and sql authentication. I prefer to enable database access using Windows, not sql, authentication. The developer says that any of those Windows users, if they had Management Studio, could directly access the database, so that approach is no good He prefers to have his app use Windows authentication (to determine the proper user permisisons) and all database access is done by the app using a single sql account.
What are your thoughts on the "right" approach to use?
TIA,
barkingdog
June 16, 2009 at 8:50 pm
If your users also uses Windows OS you should use Windows authentication .SA authentication should used when the connection is coming from Non-windows machines .
If your clients are on windows then you are adding more security risk if you enable the SA account which is disabled by default .
you can create different login groups (OS level) and assign the default databases to them .Then add users to that group.
thats what I prefer .Others can guide .
Abhay Chaudhary
Sr.DBA (MCITP/MCTS :SQL Server 2005/2008 ,OCP 9i)
June 16, 2009 at 9:27 pm
Heyyyyyyyy SSC Journeyman!
I agree with you totally. I am concerned that if all database access if done through a single sql account, the idea of database auditing is out of the question. That must be done by the developer-controlled application. Talk about keeping all eggs in one basket. In our current "SoX-like" climate I don't know if that approach is such a good idea.
Barkingdog
June 16, 2009 at 9:52 pm
We do mainly web based applications, and assign a different Windows account for each web site. The users authenticate to the web site, and the web site account connects to the database using its Windows login. There is no need for the web site to connect with a SQL Server login, and there is no reason for applications users to have access to the database.
SQL Server logins are a security risk, because the developers know the password and hard code it in connection strings, making it impossible to change the password without breaking the application.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply