RE: How to prevent QA and EM access to DB

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: AnthonyThomas (AnthonyThomas_at_discussions.microsoft.com)
Date: 11/07/04 

Date: Sun, 7 Nov 2004 07:41:02 -0800

EM and QA are just tools, not Developement or Administrative tools, just like
the various applications that you are using. If you want users to be
required to use one application over another and are using Windows
Authentication, there are only a few ways to accomplish this.

1. Create an application Windows account and only allow users access to the
database through this one application account. The application will have to
run a Windows Service or COM object to proxy for the users' access.

2. Grant user access through Windows Groups deny access to everything but
the execution of the procedure that envokes SQL Server Application Roles.

3. Grant user and/or application access to the database but only give
permission to execute stored procedures, deny access to everything else.

Unfortunately, if security is not considered as part of the design process,
there is little you can do once the system has gone into production. I'd
consider the use of VIEWs to limit the misuse of improper joins, especially
OUTER JOINs. I would also consider setting the Query Governor to a high but
meaningful threashold value.

Sincerely,

Anthony Thomas

"Tom" wrote:

> Hallo!
>
> I have our main group of users in a NT group that has datareader and
> datawriter rights to production DB.
> Can I prevent that same users access to that DB with Querry analizer or
> Enterprise manager???
> Some of those users (programers...) have SQL management tools installed so
> they can access test SQL servers or local SQL.
> That mean that they could also connect to our main DB on production server
> using windows authentication. I can not disable their access to production
> DB
> because they also need to use an application that connect to a production DB
> with windows authentication.
> I read about using application roles but that would mean we have to modify
> the application.....
>
> I there an easyer way?
> Tom
>
>
>

Relevant Pages

  • Re: Windows security
    ... sp_change_users_password only works with SQL Server ... Authentication, not Windows Authentication. ... > Windows NT environment but still have entries in the Microsoft SQL Server ...
    (microsoft.public.sqlserver.security)
  • Re: Very basic login question
    ... Both computers are NOT members of a domain. ... In order to use Windows Authentication the two computers have to be ... you should have a login at the SQL Server on the XP Pro ...
    (microsoft.public.sqlserver.security)
  • Re: ODBC worked until Server reboot defaulted to windows authentic
    ... I got the exact spelling of the windows login with the case and I rebooted ... The odbc source is set up in windows and that connects on the test. ... The SQL Server Mgmt studio connects also but only as Windows authentication. ...
    (microsoft.public.sqlserver.setup)
  • Re: Why do I have to enable File and Printer sharing to connect through the XP firewall?
    ... connecting using a Windows account or using a SQL Server account? ... For Windows authentication, SQL Server need to enumerate the SIDs for the account you pass with Windows. ...
    (microsoft.public.sqlserver.clients)
  • Re: Trouble connecting to SQL Server express over Peer to Peer network
    ... I have a program that accesses an SQL Server Express database. ... Configuration and I connect using Windows Authentication. ... that have never been connected to the domain, I have an issue connecting. ...
    (microsoft.public.vb.general.discussion)