Re: Securing a web DB

From: Kresimir Radosevic (kresimir.radosevic@zg.tel.hr)
Date: 11/30/02 

From: "Kresimir Radosevic" <kresimir.radosevic@zg.tel.hr>
Date: Sat, 30 Nov 2002 11:13:39 +0100

If your ISP has only one SQL server instance then you can't do much since
sysadmin overrides everything. I'd ask for separate SQL server instance,
revoke builtin/administrators and use strong sa password. I think that's the
only was because if you want to fully control access to your database is to
control sysadmins, and that means whole instance. The reason why you can't
deny permissions to sysadmins is that sql server doesn't even check security
for sysadmins so sql will never find your deny. 

-- 
Kresimir Radosevic, SQL MVP
I support the Professional Association for SQL Server and its user community
of dedicated professionals.
www.sqlpass.org
"Murali" <diffs@vsnl.com> wrote in message 
news:O6dH7a3lCHA.1516@tkmsftngp04...
> Hi,
>
> We are putting up a ASP.NET based web site using SQL Server database.
>
> Users of the web site get to see confidential data. All of them have to
> login to look at data.
> Eventually the site will be SSLed to protect it from password hacking.
>
> The way the s/w is designed currently is to read the connection string (db
> name, uid, password) from an XML file and establish connection to the DB.
>
> We are planning to host the site with as ISP.
> One of the requirements is that the ISP should not be able to "easily"
> access the SQL database.
> Firstly, we are planning to use SQL server authentication (and not Win 2K
> integrated login) for the database.
> We want to ensure that the Web host administrator does not read XML file 
> and
> get to know the SQL server password.
> One suggestion is to encrypt the password (or connect string) and store 
> this
> in XML.
>
> What do others do in these situations ? Any ideas  / URLs are welcome
>
> Murali
>
>
> --
> Differentiated Software Solutions Pvt. Ltd.,
> 90, 3rd Cross,2nd Main,
> Ganga Nagar,
> Bangalore - 560 032
> Phone : 91 80 3631445, 3431470
> Visit us at www.diffsoft.com
>
>

Relevant Pages

  • RE: Extended sps work only for windows sysadmin accounts-sql serv
    ... ALL sysadmins CAN execute xp_cmdshell. ... developed and registered XPs that worked on sql server 2000. ...
    (microsoft.public.sqlserver.server)
  • Re: Job owned by a non-sysadmin fails to run
    ... I have a SQL Server 2000 SP4. ... As advised in many posts I created a Proxy SQL Server Agent account ... I made this account belong to the sysadmins ... I added the account sqlservice to Administrators as advised in the article ...
    (microsoft.public.sqlserver.security)
  • Re: add new user with all rights to all dbases
    ... If it is OK to have sysadmins privileges for the person, just add a login for the person, and make ... > database administrator that could administer all dbases. ... >> Add that new user to the sysadmins SQL Server group inside SQL Server. ... I hope that this is the user account ...
    (microsoft.public.sqlserver.server)
  • Re: Last TSQL Command Batch view
    ... Obviously you will want to make sure that the security on the ... Certainly don't make them sysadmins just for this:) ... Pro SQL Server 2000 Database Design - ... >> Is there any way to grans access to any user to have access to view the ...
    (microsoft.public.sqlserver.programming)
  • RE: Error installing (KB 921896)
    ... instance MSSMLBIZ ... to SQL Server. ... correct or check to see if the SQL Server Instance is set to Mixed ... the SQL Server Instance is set to Mixed Authentication ...
    (microsoft.public.windowsupdate)