Re: Security infrastructure plan
From: Sue Hoegemeier (Sue_H@nomail.please)
Date: 05/09/02
- Next message: Mike: "Setting max memory on a server with multiple instances"
- Previous message: Hlin: "SQL Agent"
- In reply to: Chris Beardsley: "Security infrastructure plan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Sue Hoegemeier <Sue_H@nomail.please> Date: Thu, 09 May 2002 12:17:47 -0600
Chris,
I'd Leave the system tables out of the whole thing. No one
needs access to those. Just allow the default public
privileges and that should be sufficient. Allowing users
other direct access to system tables is asking for problems.
Using a hierarchy of groups, roles that type of thing is
much easier to maintain and is the recommended approach in
MS documentations. Whatever you can manage through Windows
NT groups, use that. Use built in roles when you can and
then create your own to expand on what you need.
One thing though....If public is denied certain permissions
then you will effectively be denying to everyone other than
sysadmins. Deny take precedence and everyone is a member of
public. Only a sysadmin will bypass a deny. The rights and
privileges a user has is the sum all rights/privledges based
on their group membership, role membership and individual
account with deny taking precedence.
Don't forget to consider issues with the guest account if
you have it in the databases.
You may want to go over the security white paper for
whichever version of SQL Server you are running - it's a
very good resource:
For SQL 2000 -
http://www.microsoft.com/sql/techinfo/administration/2000/securityWP.asp
or for SQL 7 -
http://www.microsoft.com/sql/techinfo/administration/70/securityWP.asp
-Sue
On Thu, 9 May 2002 13:08:39 -0400, "Chris Beardsley"
<clb39@nospam-cornell.edu> wrote:
>The DB's on our local test Server currently has everyone in the public role.
>The public role has access to everything. This occurs to me to be a wide
>open security schema (or does not exist, whichever your preference).
>
>I was planning on making some more tiered access groups, then restricting
>public to select only. The results would look something like this:
>
>Full - all rights to select, insert, update, delete, and DRI - System table
>access
>Change - Rights to select, insert, update, and delete Denied DRI and system
>table access
>Public - Rights to select Denied Insert, Update, Delete and DRI and system
>table access
>Purgatory - Denied access to everything and system table access
>
>What am I missing with this user formula? What could I potentially break on
>the server (not App) if I implement this?
>
>Responses directly to this, or additional security information would be
>greatly appreciated.
>
>Chris
>
- Next message: Mike: "Setting max memory on a server with multiple instances"
- Previous message: Hlin: "SQL Agent"
- In reply to: Chris Beardsley: "Security infrastructure plan"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
