April 26, 2013 at 10:32 am
Sergiy (4/26/2013)
opc.three (4/26/2013)
PowerShell has security scaffolding in placeYou might be surprised - but SQL Server has it too.
And cowboy developers may (most certainly will) ignore that scaffolding in PowerShell as well as they do it in SQL Server.
Unless a professional admin (DBA in case of SQL Server) will force them to use it.
Look Sergiy, I am well aware of what is available in SQL Server in terms of Security scaffolding and I am sure we could have a great conversation about the virtues of relying too heavily on any one area of a system, or one group of personnel acting within a system, to ensure a system (i.e. an entire environment) is secure. Save your condescending comments for someone else.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
April 26, 2013 at 8:39 pm
opc.three (4/26/2013)
Sergiy (4/26/2013)
opc.three (4/26/2013)
A stand-alone PowerShell prompt on Homer's machine does not offer much over a stand-alone CmdShell prompt on Homer's machine in the way of added security, only in functionality. Both shells are running as Homer, from Homer's machine IP so actions from both are subject to OS level auditing under his username -and- network level auditing under his username and IP address. When Homer accesses a cmd shell promo via xp_shell neither of those things are true.When Homer accesses a cmd shell promo via xp_shell - nothing happens.
Unless Homer is given SA privileges.
And if Homer is given same kind of privileges on the Windows domain - "neither of those things are true".
He can do whotever he wants from whereever he wants, remotely accessing any server/desktop around with a little chance of being caught.
Get your security within SQL Server right, at least at the same level as within Windows domains - and all your imaginary hazards of xp_cmdshell will go away.
You (and Jeff) are so wrong about this it's not even worth discussing anymore because it's clear you will not see the point.
Nope. Not wrong, Orlando. I just believe differently than you and a whole lot of other people. It's equally clear that you don't see my point and that's Ok. Differences in opinion spark conversation and innovation.
Also understand that Sergiy is not calling you stupid and he's not calling you a cowboy. He called MS stupid and said that cowboy developers (meaning those folks that typically ignore everything except getting something off their plate) would ignore any and all security scaffolding. And when he said "get your security right", he's not talking about you personally... he's talking about anyone and everyone getting their security right and, despite our differences, that's all 3 of our goals. These are not personal attacks. Short, brusk, and maybe even brutally to the point (English is not his native language so he tends to be short), but they're not personal attacks on you.
As for relying "too" heavily on one area of a system, doctors do it all the time. They're called "specialists" because they're really, really good at what they do. I don't see how the use of one very flexible tool paints you in a corner while the use of another very flexible tool does not.
--Jeff Moden
Change is inevitable... Change for the better is not.
April 26, 2013 at 10:49 pm
I could not care less what Sergiy says about anything and do not need a translator of his thoughts. I actually think its odd that you continue to do that. He may be the rudest person I have run into on this site.
I actually do see your point, but think your wrong, but qt the same time respect your right to choose. I do not on the other hand think you see my point, but that's OK. I know I am better off for having had this longest running of dialogues with you, so thank you for that Jeff.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
May 7, 2013 at 8:46 am
As a DBA and occasional AD admin, Powershell considerably simplifies my life.
Goodbye .bat, see ya later mmc AD. SQL OLE Automation was, IMHO, nearly unusable.
I do have the luxury of not being too worried about security, as there is a whole department between me and the outside world.
May 8, 2013 at 11:44 pm
opc.three (4/26/2013)
I could not care less what Sergiy says about anything and do not need a translator of his thoughts. I actually think its odd that you continue to do that. He may be the rudest person I have run into on this site.
We'll have to agree to disagree again, then.
I translated because you didn't understand the short English used. You have no idea what I've learned, taught myself, and have been able to teach others because of that man and his short English.
--Jeff Moden
Change is inevitable... Change for the better is not.
May 9, 2013 at 7:37 am
I can't really say the same but that's great for you. Like I said, I do not need a translator and your saying I do not understand him is a little insulting. You and I have been jousting over this issue for two years and have managed to remain friends so if anything you should be consulting him on what it means to maintain composure when someone disagrees with his point of view.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Viewing 6 posts - 31 through 35 (of 35 total)
You must be logged in to reply to this topic. Login to reply