 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / February 2005Locking out MS Access Users...
I have an ASP.NET web application that uses a SQL Server 2000 database. I am forced to use Impersonation/Delegation with Windows accounts so that we can audit activity at the database level. However, everyone in the organization also has MS Access on their desktop. How can I prevent MS Access users from creating a new .adp and executing any of the stored procedures created specifically and solely for the web application? I know using SQL Server application roles (especially for web applications) is BAD! Thanks! -rich > specifically and solely for the web application? I know using SQL Server > application roles (especially for web applications) is BAD! Why are application roles bad?  SignatureAdam Machanic SQL Server MVP http://www.sqljunkies.com/weblog/amachanic -- Based on MS documentation, the biggest drawback for web applications is the loss of connection pooling. See "Building Secure ASP.NET Applications" on the MS site. > > specifically and solely for the web application? I know using SQL Server > > application roles (especially for web applications) is BAD! > > Why are application roles bad? > Based on MS documentation, the biggest drawback for web applications is the > loss of connection pooling. > > See "Building Secure ASP.NET Applications" on the MS site. Thanks; there is some great info there. I read the section on connection pooling and application roles (can be found in this page: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/S ecNetch12.asp ) and I agree with you, given the issues it's probably not a good solution for a web-based application. I think the simplest solution is, assign permissions for the web app to hit the stored procedures, and don't give the Access users any access (no pun intended :) )... SignatureAdam Machanic SQL Server MVP http://www.sqljunkies.com/weblog/amachanic -- > I have an ASP.NET web application that uses a SQL Server 2000 database. I am > forced to use Impersonation/Delegation with Windows accounts so that we can > audit activity at the database level. However, everyone in the organization > also has MS Access on their desktop. How can I prevent MS Access users from > creating a new .adp and executing any of the stored procedures created > specifically and solely for the web application? While you cannot prevent them creating a new ADP, how (or why) do the Access users have access to store procedures that would access the SQL Server 2000 db? Steve The web application uses Integrated security so their Windows accounts (technically the Windows Groups their user accounts are members of) are SQL logins. Database Roles have been created with permissions set for the stored procs, etc. As a result, they can also open Access, create an adp, connect to the SQL database using Windows authentication, and the sp's, UDF's, etc show up. Because the database role their user account belongs to has "execute" permissions for the web application they can then also execute the sp from Access. > > I have an ASP.NET web application that uses a SQL Server 2000 database. I > am [quoted text clipped - 12 lines] > > Steve Some places write jobs to kill spids based on application names connected to SQL Server. That doesn't prevent much as it works after the fact. I also worked at a couple of places where we traced who logged in not using the corporate applications. Sometimes if you'd tell them exactly what they were doing at what time on what day, they'd be freaked out enough to discontinue or not go in as much. -Sue >The web application uses Integrated security so their Windows accounts >(technically the Windows Groups their user accounts are members of) are SQL [quoted text clipped - 21 lines] >> >> Steve > The web application uses Integrated security so their Windows accounts > (technically the Windows Groups their user accounts are members of) are SQL [quoted text clipped - 4 lines] > "execute" permissions for the web application they can then also execute the > sp from Access. It would be a pain, but you could alter every stored procedures to check host_name() against the web server's name, or app_name() against your web app, and bomb out if you detect unauthorized use. Then remove all select,insert,delete,update,etc. permissions on tables from the db role, leaving them only with execute permission on the sp's. Thanks for everyone's replies. All good suggestions. It's unfortunate there isn't a simpler way to lockout particular applications. > > The web application uses Integrated security so their Windows accounts > > (technically the Windows Groups their user accounts are members of) are SQL [quoted text clipped - 10 lines] > select,insert,delete,update,etc. permissions on tables from the db role, > leaving them only with execute permission on the sp's. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.