Re: Inexplicable security lapse?

From: Sue Hoegemeier (Sue_H@nomail.please)
Date: 07/26/02 

From: Sue Hoegemeier <Sue_H@nomail.please>
Date: Fri, 26 Jul 2002 11:27:35 -0600

If logins are being audited, you can check what login the
user is connecting with. If logins are not being audited,
you can turn this on - it's good practice to enable this
anyway.

-Sue
 
On Fri, 26 Jul 2002 12:49:22 -0400, "Richard Buchsbaum"
<rb539@columbia.edu> wrote:

>I'll check it out - except that, as far as I know, the two domains in
>questions share no user accounts - in other words, the integrated should not
>work.
>
>Any other insights would be appreciated.
>
>"Sue Hoegemeier" <Sue_H@nomail.please> wrote in message
>news:cin2kukah4c63qos6t3t3hscfadbirag8b@4ax.com...
>> I would still guess that Jasper is correct. You could be
>> hitting an MDAC bug where the authentication mode setting is
>> ignored and windows authentication is always used. Refer to:
>> FIX: SQL Server ODBC Driver Ignores Authentication Setting
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q279526
>>
>> -Sue
>>
>> On Fri, 26 Jul 2002 09:15:09 -0400, "Richard Buchsbaum"
>> <rb539@columbia.edu> wrote:
>>
>> >Jasper:
>> >
>> >No, the ODBC DNS is specifically set up to use SQL Server authentication.
>> >The machine in question does log on, as an administrator and with
>integrated
>> >(NT) security, to another SQL Server (different server and different
>domain
>> >than the SQL Server I'm talking about).
>> >
>> >Any possibility that the permissions for the two SQL servers are
>interfering
>> >with each other? There is no trust set up between the two domains that I
>> >know of...
>> >
>> >Anyway, this seems (is!) a terrible breach of security, which I MUST
>close
>> >up. Help, please!
>> >
>> >Thanks,
>> >
>> >Richard
>> >
>> >"Jasper Smith" <jasper_smith9@hotmail.com> wrote in message
>> >news:OcJbGcBNCHA.2688@tkmsftngp11...
>> >> The PC that connects without prompting for a login and
>> >> gives too much access is probably using NT Authentication
>> >> Is that PC logged on as a user with access to SQL anyway ?
>> >>
>> >> HTH
>> >> Jasper Smith
>> >>
>> >> "Richard Buchsbaum" <rb539@columbia.edu> wrote in message
>> >> news:#nrl3HANCHA.1584@tkmsftngp12...
>> >> > Hi:
>> >> >
>> >> > In a SQL Server 2000, I have created a standard (SQL Server) login
>and
>> >> > corresponding user. The user is a member of only the public role on
>only
>> >> one
>> >> > database. I have individually granted this user Select permission on
>a
>> >> > single view. That's it - nothing else.
>> >> >
>> >> > When I create an ODBC User DSN using this login, and try to access
>the
>> >> data
>> >> > (linking tables to an Access 2002 .mdb file), I get different results
>on
>> >> > different: One computer seems to work properly, allowing read-only
>> >access
>> >> to
>> >> > the view (along with access to the dtproperties, syscontraints, and
>> >> > syssegments tables). But trying this on another computer allows read
>and
>> >> > write access to every table and view in the database!
>> >> >
>> >> > Help! I need to implement strict security for this database,
>especially
>> >on
>> >> > the offending computer. Any guidance would be appreciated.
>> >> >
>> >> > (One interesting point - when linking through Access, the machine
>with
>> >the
>> >> > proper permissions prompts me for the login's password, while the
>> >machine
>> >> > with the "breach" does not. Hmmm...)
>> >> >
>> >> > Thanks in advance,
>> >> >
>> >> > Richard
>> >> >
>> >> >
>> >>
>> >>
>> >
>>
>

Relevant Pages

  • Re: Trusted connections??
    ... implement role or user based security at the SQL Server. ... If the ASP.Net app controls what the user can request of the database then I ... I implement user authentication at the application and the application ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Permissions problem on SBS 2003 R2 for SQL Server 2005 clients
    ... Mixed mode authentication is there for a reason. ... Microsoft strongly recommends Windows authentication for a purely ... I DO NOT DO on SQL Server systems unless necessary. ... security is no place for workarounds and you have to understand that SQL ...
    (microsoft.public.windows.server.sbs)
  • Re: Cannot open database requested in login
    ... Assuming your goal is to use windows integrated ... security then leave out the username ... ASP.NET service) as a login to SQL Server and with access to the ... >> you should see security tab, change authentication to "SQL ...
    (microsoft.public.sqlserver.security)
  • =?utf-8?B?UmU6IFNRTCBTZXJ2ZXIgQXV0aGVudGljYXRpb24gdmVyc3VzIFdpbmRvd3MgQXV0aGVudGljYXRpb24=?=
    ... Using SQL Server ... authentication has some security implications so it is generally better ... Integrated Security you are using the current principal running the ... If you are using Windows Authentication on your ASP.NET (e.g. Intranet ...
    (microsoft.public.dotnet.framework.adonet)
  • Re: Need Help w/ SQLServer Express Authentication
    ... Windows Authentication can not be disabled using Mixed Authentication. ... You can only disable SQL Server authentication and Microsoft recommends using Windows Authentication when possible. ... Logins make your users to connect and perform their tasks in SQL Server. ...
    (microsoft.public.sqlserver.setup)