Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
Shabugeorge
Starting Member
5 Posts |
 Posted - 2004-08-22 : 04:14:06
|
| Dear DB Guru's,I have a VB application with Sqlserver 2000 as backend .Users of my app. is connected to the server by windows 2000 authentication mode.Now i came to see that some of the users have installed Sql server in their PC and they are able to connect to my App Server directly through Query analyser.How can i deny them access to my App server.Thanks,Have a nice day,Shabu |
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2004-08-22 : 10:26:29
|
| how did they get the connectivity information? I hope your ini file is secured?Choose any of the following:1. Change your ini file and encrypt. You can restrict the sql port number so that even if they know the ip address, the new port is unknown to them.2. kill spid in your sysprocesses table wherein application = to your application name and user= windows account3. set an application role and be sure to 'hide' this from them and revoke all of their permissions set to nt account. they may be able connect but without setting up the application role, they'll be restrictedHope this helps... |
 |
|
|
derrickleggett
Pointy Haired Yak DBA
4184 Posts |
Posted - 2004-08-22 : 12:15:51
|
| You really should have the applictions connecting with a windows account. You then have the applictions grant users permissions to pieces of the appliction. By doing this, users have zero permissions in the database. What kind of apps are they using?Now i came to see that some of the users have installed Sql server in their PC and they are able to connect to my App Server directly through Query analyser.I assume you have a combined SQL Server and app server? You should break this up if you can afford it. Also, make sure you have restricted these users and the public role so they can't run things like sp_executesql and xp_cmdshell. That would suck.MeanOldDBAderrickleggett@hotmail.comWhen life gives you a lemon, fire the DBA. |
|
|
|
Shabugeorge
Starting Member
5 Posts |
Posted - 2004-08-24 : 06:34:42
|
| Hai Gurus,Thanks for yours reply,I have very limited knowledge on security aspects of Sql server.First of all i would like to know that where exactly i should provide the security policy that is on the network server or on the DB server. |
|
|
|
MuadDBA
628 Posts |
Posted - 2004-08-24 : 09:55:46
|
| Then I'd suggest your first start be browsing SQL Server books online, reading up on the security areas. |
|
|
|
derrickleggett
Pointy Haired Yak DBA
4184 Posts |
Posted - 2004-08-24 : 23:56:16
|
| First of all i would like to know that where exactly i should provide the security policy that is on the network server or on the DB server.What does this mean?MeanOldDBAderrickleggett@hotmail.comWhen life gives you a lemon, fire the DBA. |
|
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2004-08-25 : 01:24:43
|
| Hi ShabuGeorge,You can tighten security by combining network and server security.First of all, are your users within your local network?Here are just some tips that we did on our own setup:1. restrict (thru firewall) only authorized users to connect to the servers2. if your users have the same privileges, you can group them and apply the permissions, this will give you ease of management when a user is removed or added to the group.3. If all users of a server are from within your local network, use windows authentication only for Server connection. Do this only if you are sure that you will not have other users outside your local network.Hope these help... |
|
|
|
|
|
|
|
|
Security Issue