Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / DB Engine / SQL Server / March 2008

Tip: Looking for answers? Try searching our database.

SQL Server Security

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Lijun Zhang - 04 Mar 2008 20:56 GMT
Last week, we had an auditor came in to audit our SQL Server security
settings. He specifically checks if we set developers as sysadmin server
role on our development servers. Our data on dev servers are scrambled,
including name, phone, ssn, bank account numbers, addresses etc.

Can anyone give me the reasons that why do we not want developers as
sysadmin server role on a development server?

Thanks,

Lijun
Reply to this Message
Paul Ibison - 04 Mar 2008 21:30 GMT
Firstly I'd be interested in how the data is encrypted and if it could be
easily decrypted by having total rights to the instance - ie are the
decryption routines held in the instance? If the developers wrote the
encryption routines outside of SQL Server and you have access to this code
then this is a bit academic anyway :)

Next I'd look at how you could interact with the rest of your network.
Access to xp_cmdshell and sp_OA.... procedures could be a problem if run in
the context of a domain admin, which is the login used on a lot of SQL
installations I've seen. Finally I'd look at any linked servers that are set
up - total access to these could be an issue - just depends which systems
they are pointing at.

Cheers,
Paul Ibison
Reply to this Message
David Portas - 04 Mar 2008 21:45 GMT
> Last week, we had an auditor came in to audit our SQL Server security
> settings. He specifically checks if we set developers as sysadmin server
[quoted text clipped - 7 lines]
>
> Lijun

Depends how your developers work. If they use their own logins to do unit
tests on the dev server then those logins ought to be given only the roles
they have in production. If they have separate logins for testing then maybe
that's not a problem.

I'm a little sceptical about what you mean by "scrambling" sensitive data
though.

Signature

David Portas

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2009 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.