Packaged-Application Database Nightmares - A Horror Story.

  • ben.mcintyre - Thursday, April 26, 2018 1:45 AM

    ALZDBA - Thursday, April 26, 2018 1:38 AM

    as always I get to hear: "but you are the first complaining about this security thing ! We have never had issues with other clients."

    THAT is the truly scary part.

    LOL ... you would think ... at first ... but you get used to it and implement this gauge :

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • Jeff Moden - Wednesday, April 25, 2018 4:17 PM

    p.s.  I'm going through the drill right now.  Our telephone system vendor has asked for a login with "sa" privs for their new reporting system.  They're into that "Well other people let us have one... our software requires it".   Yeah, right.  For a reporting system... I hope they know what "obese opportunity" means. 😀

    SA is an account, and SYSADMIN is a role. If they can't tell you explicitly what permissions they need, then just give them what you think they need.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • We have a third party vender that is not quite as bad as all this.  However they do require SA login with Sysadmin privs.
    The kicker - this is a Microsoft product.  fortunately we can choose the SA Password even though we still have to supply it to them.

  • ajordan 76503 - Thursday, April 26, 2018 8:01 AM

    We have a third party vender that is not quite as bad as all this.  However they do require SA login with Sysadmin privs.
    The kicker - this is a Microsoft product.  fortunately we can choose the SA Password even though we still have to supply it to them.

    What happens if you supply them with a different password, the software breaks?

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Eric M Russell - Thursday, April 26, 2018 7:42 AM

    Jeff Moden - Wednesday, April 25, 2018 4:17 PM

    p.s.  I'm going through the drill right now.  Our telephone system vendor has asked for a login with "sa" privs for their new reporting system.  They're into that "Well other people let us have one... our software requires it".   Yeah, right.  For a reporting system... I hope they know what "obese opportunity" means. 😀

    SA is an account, and SYSADMIN is a role. If they can't tell you explicitly what permissions they need, then just give them what you think they need.

    Yep.  I know the difference between the sysadmin role and the SA account and they can't have either. 😀  I just group it all of the atrocities together by saying "sa" privs.

    Since people aren't listening to me very well on this, I've got the VP of Infrastructure involved... he's also the prime mover when it comes to security and he and I see eye to eye on this type of stuff.  Now the two of us have to reeducate some people on our side of the fence because all they care about is getting it off their plate.  Once that's done, we can get someone besides a Developer/Tech on the phone system company side to work with me on an alternative.  It won't just help us... it's educating that particular phone system provider so that other DBAs don't have to go through this line of horse muffins in the future.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

  • Eric M Russell - Thursday, April 26, 2018 7:42 AM

    Jeff Moden - Wednesday, April 25, 2018 4:17 PM

    p.s.  I'm going through the drill right now.  Our telephone system vendor has asked for a login with "sa" privs for their new reporting system.  They're into that "Well other people let us have one... our software requires it".   Yeah, right.  For a reporting system... I hope they know what "obese opportunity" means. 😀

    SA is an account, and SYSADMIN is a role. If they can't tell you explicitly what permissions they need, then just give them what you think they need.

    At that point the application just gets its own instance(and service account).  Last company I came across had an application that required sysadmin and a very specific and weird collation in the master db, i didn't care enough to try to figure out why it just got it's own instance.

  • If the vendor is stubborn about the configuration, and you have no other choice but to use them, then you can perhaps run their applications and databases inside a VM or Docker container. They can play the role of God, but only in their own little sandboxed universe.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • even today I received feedback of a 3th party software taking its own log backups, breaking log shipping scenarios ...

    Johan

    Learn to play, play to learn !

    Dont drive faster than your guardian angel can fly ...
    but keeping both feet on the ground wont get you anywhere :w00t:

    - How to post Performance Problems
    - How to post data/code to get the best help[/url]

    - How to prevent a sore throat after hours of presenting ppt

    press F1 for solution, press shift+F1 for urgent solution 😀

    Need a bit of Powershell? How about this

    Who am I ? Sometimes this is me but most of the time this is me

  • Jeff Moden - Wednesday, April 25, 2018 7:35 AM

    andrew gothard - Wednesday, April 25, 2018 4:01 AM

    And, having worked with numerous third party packages I'm supposed to be surprised by this?
    "We need sa with a blank password, that's how it's hardcoded to connect, and a domain admin with AppName , AppName  as the name and password".

    Heh...yeeeaaahhh... that's when I tell management that I was looking for a job when I found this one.  I won't ever let that happen, period, no exceptions.  Very fortunately, I have a few Directors/VPs that get that and back me up 100% on that.

    Management asked me to ensure they got all the co-operation they required, and that I escort them to their car, and ensure they vacated the premises immediately.  They weren't terribly happy about it, but I can be quite persuasive.  
    See, sometimes there is a happy ending.

    I'm a DBA.
    I'm not paid to solve problems. I'm paid to prevent them.

  • Eric M Russell - Wednesday, April 25, 2018 7:34 AM

    andrew gothard - Wednesday, April 25, 2018 4:01 AM

    And, having worked with numerous third party packages I'm supposed to be surprised by this?
    "We need sa with a blank password, that's how it's hardcoded to connect, and a domain admin with AppName , AppName  as the name and password".

    Wow, do they also suggest you leave some milk and a plate full of cookies for the hackers? :ermm:

    That's pretty much the gist of what the Sales and Marketing Director asked when he sussed how vulnerable his contacts, appointments and leads were.  Except with a lot of swearing, a little blunter and at considerable volume.  He was actually a very shrewd guy who had worked bloody hard to get where he was, thank you very much - and wasn't impressed.

    I'm a DBA.
    I'm not paid to solve problems. I'm paid to prevent them.

  • Jeff Moden - Wednesday, April 25, 2018 7:56 AM

    Eric M Russell - Wednesday, April 25, 2018 7:47 AM

    If a software application is hard coded to use the "SA" account, you can rename it and then create a new account named "SA" with limited permissions. One or more builtin database level roles like db_ssisadmin, db_datareader, or even db_owner can provide all the permissions it requires to function. Anyone stupid enough to design an application with a hard coded connection to the 'SA' account is probably too stupid to realize you've switched sysadmin role membership out from under them.

    The way I look at it, if someone is so stupid as to hardcode "SA" in their connection, then I'm not going to trust their application in any way, shape, or form.

    Absolutely. 
    I can categorically guarantee you that system will be an absolute midden in terms of bugs, lack of scalability and riddled with just about every kind of exploit going.  It will absolutely not be fit for purpose.

    I'm a DBA.
    I'm not paid to solve problems. I'm paid to prevent them.

  • Jeff Moden - Wednesday, April 25, 2018 4:17 PM

    p.s.  I'm going through the drill right now.  Our telephone system vendor has asked for a login with "sa" privs for their new reporting system.  They're into that "Well other people let us have one... our software requires it".   Yeah, right.  For a reporting system... I hope they know what "obese opportunity" means. 😀

     "Well other people let us have one".  My simple response to that one is "*Their* incompetence is not within my purview, and is therefore irrelevant".  I like the ensuing silence.

    I'm a DBA.
    I'm not paid to solve problems. I'm paid to prevent them.

  • andrew gothard - Wednesday, May 16, 2018 9:44 AM

    Jeff Moden - Wednesday, April 25, 2018 4:17 PM

    p.s.  I'm going through the drill right now.  Our telephone system vendor has asked for a login with "sa" privs for their new reporting system.  They're into that "Well other people let us have one... our software requires it".   Yeah, right.  For a reporting system... I hope they know what "obese opportunity" means. 😀

     "Well other people let us have one".  My simple response to that one is "*Their* incompetence is not within my purview, and is therefore irrelevant".  I like the ensuing silence.

    Heh... my response wasn't quite so kind or politically correct. 😀  My response to them start off with "Just because you have idiots as other customers..." and it went downhill from there because they were being jerks about it.  Of course, that was only after they accused me of being an "out of touch DBA" and being a "control freak" to the people I work for.  I also turned it around a bit and asked them if their new reporting system was going to be as performance challenged and resource intensive as the previous one and then asked why they never responded to my multiple requests for them to fix it along with some code I wrote and the necessary indexes to fix it.

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)

Viewing 13 posts - 76 through 87 (of 87 total)

You must be logged in to reply to this topic. Login to reply