Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / January 2007

Tip: Looking for answers? Try searching our database.

Giving access to outside web site to SQL Server stored procedure

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Don - 28 Jan 2007 15:50 GMT
Hello, I have a sql server 2000 production database that will need to have
multiple web sites insert contact information into a table.  I plan to
create a new sql user and only give it permission to execute one stored
procedure (that will do the insert row into the contact table).

Then I will provide to any outside vendor the SQL Server name, database,
user id, password and stored procedure(and input parameters) name.  What are
the security concerns with this?

Would it make any sense to create a database with only this table in it, or
is this just overkill.  I see that when I assign a new user to just one
database and one stored procedure that they can see the master database.  Is
this an issue?  Should I give the user
db_denydatareader on the master database?

Thanks

Don
Reply to this Message
Erland Sommarskog - 28 Jan 2007 23:33 GMT
> Hello, I have a sql server 2000 production database that will need to have
> multiple web sites insert contact information into a table.  I plan to
[quoted text clipped - 10 lines]
> database.  Is this an issue?  Should I give the user db_denydatareader
> on the master database?

I would rather not expose an SQL Server on the Internet at all, least of
all SQL 2000. SQL 2000 no protection against brute-force attacks whatsoever.
Even if you have a really strong password for sa, someone might be able to
crack it. The server would also be open for denial-of-service attacks.

I think you should better implement some sort of web service. Not
necessarily with XML. But something that listens on a TCP/IP port, possibly
authenticates the user, and then connects to SQL Server with this low-
priv user you described. Username and password would be hard-coded into
this service, or read from a file.

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.