 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
SQL Server Forum / General / Security / October 2006Is there an alternative to disabling windows authentication?
I’m a third party developer and my database gets installed on all types of network setups. I can’t control the active directory settings for the users so I want to protect my database by only allowing SQL Server Authentication. I’m using MSDE 2000. I have a security manager as part of my system that the users interact with to assign rights and permissions to database objects. I translate this into SQL Server authentication. The only logins are sa and several default logins I created for different aspects of my system. I removed the BUILTIN\ Administrators Group. The only database roles are db_accessadmin, db_backupoperator, db_datareader, db_ddladmin, db_denydatareader, db_denydatawriter, db_owner, db_securityadmin, and public. The only database user is dbo (sa). With this setup I thought I could block Windows authentication but from what I’ve read this can not be done. Is there another way to accomplish this? Don't provide any Windows login accounts permissions to log into the SQL Server. Remove domain accounts from the Local Administrators. And to a more salient point: Why on earth are you providing all users database access as 'sa'? Since all users are 'sa', the roles are useless because they are all system admins in the SQL Server. That is the most egregious security breach imaginable. Any user that knows (or learns) how to use Excel to connect to SQL Server, or installs an eval version of SQL Server and client tools (meaning Enterprise Manager and Query Analyzer) will have the ability to muck up your data and/or schema. I surely hope that this isn't a regulated market that has to comply with HIPAA or SARBOX -the application will fail the security audit.  SignatureArnie Rowland, Ph.D. Westwood Consulting, Inc Most good judgment comes from experience. Most experience comes from bad judgment. - Anonymous You can't help someone get up a hill without getting a little closer to the top yourself. - H. Norman Schwarzkopf > I'm a third party developer and my database gets installed on all types of > network setups. I can't control the active directory settings for the [quoted text clipped - 19 lines] > what > I've read this can not be done. Is there another way to accomplish this? Arnie, Thanks for the advise. I must not have explained it well enough. The other sql logins provide access to different modules of the system not users. John >Don't provide any Windows login accounts permissions to log into the SQL >Server. Remove domain accounts from the Local Administrators. [quoted text clipped - 17 lines] >> what >> I've read this can not be done. Is there another way to accomplish this? John, You can't 'block' Windows Authentication -but you don't have to accept any Windows login accounts into your server. Don't map any domain accounts to SQL Logins or and/or database roles, and don't provide any specific permissions to the PUBLIC role -and domain users 'should' be kept out of your database. SignatureArnie Rowland, Ph.D. Westwood Consulting, Inc Most good judgment comes from experience. Most experience comes from bad judgment. - Anonymous You can't help someone get up a hill without getting a little closer to the top yourself. - H. Norman Schwarzkopf > Arnie, > Thanks for the advise. I must not have explained it well enough. The [quoted text clipped - 27 lines] >>> I've read this can not be done. Is there another way to accomplish >>> this? |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.