Security Concerns re Developer Edition on a Workstation?

  • dsmalley

    Grasshopper

    Points: 10

    After years of doing development work directly on our shared development/production DB servers, we're researching a move to putting SQL2k8 Dev Edition on our developer's workstations.

    Our company is currently in hyper-vigilant security mode due to forthcoming SOX & SAS70 audits and we're getting some pushback saying that running SQL on a workstation raises some security concerns.

    Assuming that our developers are following policies regarding production / PII / PCI data, etc. are allowed -- are there any known concerns with running SQL DE on a workstation??? Even in the "only the most paranoid person would worry about this" category?

    Are there any companies out there you work at / know of that prohibit DE?

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 716562

    Assuming the machines are patched, and that you control changes pushed from dev machines to the dev server, I don't think there's an issue. Not fundamentally different from a server, except less control. So I would be very, very careful about restores or production data getting to these machines.

  • dsmalley

    Grasshopper

    Points: 10

    Hi Steve - thanks for your reply. Yes, we've got a track record of production data occasionally finding its way on to development servers so this is a concern. We'll take some reasonable steps to keep that from happening for sure.

    I don't have all the details yet regarding the security concerns our internal team has about running DE. I'm hoping there isn't some little-known way in which a guy/gal running SQL on his/her own box can leverage that to gain wider access to the network or circumvent other prohibitive controls in our environment (really starting to hate that word "controls" these days).

    Something like that would shoot our use of DE in the head.

    // Doug

  • EdVassie

    SSC Guru

    Points: 60269

    There are no additional security concerns about putting Developer Edition on to a Workstation compared to having SQL Express or SQL Embedded Edition on the Workstation, and these latter two may already be there.

    If your organisation is concerned about SQL security it needs to be just as concerned about Express and Embedded as it is about Developer.

    Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.

    When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply