Only Use My Application

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    Comments posted to this topic are about the item Only Use My Application

  • Evgeny Garaev

    SSCertifiable

    Points: 6323

    The most appropriate solution is create a custom logon trigger. So I would say there is no appropriate solutions in the provided list...

    For example, -mSQLCMD limits connections to a single connection and that connection must identify itself as the SQLCMD client program.

    In this case it will be only one connection from SQLCMD, you won't be able to create another session to the same instance using the same application. So this is incorrect as well. :blink:

  • Stewart "Arturius" Campbell

    SSC Guru

    Points: 71483

    Very interesting question, thanks Steve.
    However, the -m parameter implies single user login mode. ths, in turn, implies only one session for the one login.
    However, if the aim is to have multiple users connecting via a given application this would not work...

    ____________________________________________
    Space, the final frontier? not any more...
    All limits henceforth are self-imposed.
    “libera tute vulgaris ex”

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    My apologies, as this one had poor wording. I should have specified one connection from one application.

    Points awarded back and the question clarified.

  • Ed Wagner

    SSC Guru

    Points: 286960

    Glad I didn't see the previous version.  I found myself really thinking it through because I never use it.

  • TimCarrett

    Default port

    Points: 1484

    Very good question. Very clear when I read it. Learnt something new as well.

  • dale_berta

    SSC Eights!

    Points: 922

    We use a logon trigger

  • John Mitchell-245523

    SSC Guru

    Points: 148431

    The referenced page mentions that the connection must identify itself as the application in question.  I answered that this isn't possible, since any connection can identify itself as any application.

    John

  • David Burrows

    SSC Guru

    Points: 64575

    John Mitchell-245523 - Tuesday, May 30, 2017 5:52 AM

    The referenced page mentions that the connection must identify itself as the application in question.  I answered that this isn't possible, since any connection can identify itself as any application.

    John

    +1

    Far away is close at hand in the images of elsewhere.
    Anon.

  • daniel.plocinik

    Hall of Fame

    Points: 3288

    John Mitchell-245523 - Tuesday, May 30, 2017 5:52 AM

    The referenced page mentions that the connection must identify itself as the application in question.  I answered that this isn't possible, since any connection can identify itself as any application.

    John

    +1

    97 percent KO Derf

  • TomThomson

    SSC Guru

    Points: 104772

    I'm glad I didn't see this before it was corrected, but even after correction I think it's a somewhat infelicitous question. 

    It is a matter of guessing whether the correct answer is the first option or the 4th option.   I picked the 1st option despite knowing it to be a very bad answer from a security point of view (it's an utterly insecure method of attempting to restrict connection to a single application) because the restriction to only one connection was there, and as a result it looked as if it wasn't intended to be a security question but something about some once in a while operational thing where security probably wouldn't be an issue (hence utterly insecure, because where people say "security probably isn't an issue" is usually where security is badly broken).

    Tom

  • zerbit

    SSC Veteran

    Points: 215

    +x

    TomThomson - Tuesday, May 30, 2017 7:25 PM

    I picked the 1st option despite knowing it to be a very bad answer from a security point of view 

    I picked the 4th because the question was "Only Use My Application", guessing the question was about limiting USERS to use sql with a provided, trusted, application. In that case, 1th answer is not correct because nothing can prevent the user to lanch any other application that presents itself with the allowed name.

  • TomThomson

    SSC Guru

    Points: 104772

    zerbit - Wednesday, June 7, 2017 6:31 AM

    +x

    TomThomson - Tuesday, May 30, 2017 7:25 PM

    I picked the 1st option despite knowing it to be a very bad answer from a security point of view 

    I picked the 4th because the question was "Only Use My Application", guessing the question was about limiting USERS to use sql with a provided, trusted, application. In that case, 1th answer is not correct because nothing can prevent the user to lanch any other application that presents itself with the allowed name.

    I tend to agree, the first option is a bad answer and the 4th option is a good one.  But the "correction" didn't make any difference to anything but the first option, and merely made the question wording more inclined towards the 1st option, so that seemed to me to indicate that the intention of teh question was the first option despite it being utterly insecure.

    Tom

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    It's not utterly insecure. It's just not perfectly secure.

    I can pick an application name and limit connections to that application name. I would easily wager the vast majority of cases this is sufficient security for the window in which it's involved. Your complaints seem to center on this idea that a hacker would be able to figure out the name and then set a connection string to get to the server before you could.

    This is a part of single user mode, which for SQL Server means very rare time periods when an admin needs to perform some maintenance or administrative change.

    In  terms of a valid administrative strategy, where I want to prevent SQL Agent or some client application from connecting, this solves the issues, quizzes someone on the option, and teaches others.

    I'll stand by the question from a practical standpoint.

  • TomThomson

    SSC Guru

    Points: 104772

    Steve Jones - SSC Editor - Thursday, June 8, 2017 10:05 AM

    It's not utterly insecure. It's just not perfectly secure.

    I can pick an application name and limit connections to that application name. I would easily wager the vast majority of cases this is sufficient security for the window in which it's involved. Your complaints seem to center on this idea that a hacker would be able to figure out the name and then set a connection string to get to the server before you could.

    This is a part of single user mode, which for SQL Server means very rare time periods when an admin needs to perform some maintenance or administrative change.

    In  terms of a valid administrative strategy, where I want to prevent SQL Agent or some client application from connecting, this solves the issues, quizzes someone on the option, and teaches others.

    I'll stand by the question from a practical standpoint.

    Yes "utterly insecure" was an overstatement, I should have said something milder.  But...it isn't completely secure, so it's insecure, not secure.   Is the practical case a genuine one-off, or is some event that causes restriction to this single application to be required now and again - or even worse, at regular predictable intervals?  In the latter case, it's maybe not secure enough.   In the former case, it's probably secure enough for most purposes.  For rare reptetition and unpredictable times, it may well be secure enough but it could potentially be not secure enough (depending on how much harm someone else hijacking that one connection could inflict).

    Tom

Viewing 15 posts - 1 through 15 (of 16 total)

You must be logged in to reply to this topic. Login to reply