Re: No Application Logins Allowed - SOX
From: Ross Presser (rpresser_at_NOSPAMgmail.com.invalid)
Date: 06/21/05
- Next message: Sgreer: "Prevent user from browsing logins with EM?"
- Previous message: Mark J. McGinty: "Re: SQLServerAgent Service"
- In reply to: Mike Q: "No Application Logins Allowed - SOX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 21 Jun 2005 12:58:31 -0400
On Tue, 21 Jun 2005 07:12:13 -0700, Mike Q wrote:
> Any insights would be appreciated.
>
> Thank you.
a) Individual users don't have to be added to databases; Windows security
groups will do. As usual, a user receives access equal to the highest
access permitted by any matching group, unless some group denies him that
access.
b) Require developers to do all retrieves AND updates through stored
procedures. A stored procedure can limit the number of rows returned or
affected; it can check APP_NAME() to make sure that it's not some random MS
Access or Query Analyzer; it can even enforce allowable hours if you're
paranoid enough. Then you can remove direct table/view access from the
database role.
This may also hit performance. But performance and security are tradeoffs;
get more of one, sacrifice the other.
Your other choice as I see it is to continue to use the "Customer"
application login, and use other means to apply relevant auditing of which
windows users make use of the login.
- Next message: Sgreer: "Prevent user from browsing logins with EM?"
- Previous message: Mark J. McGinty: "Re: SQLServerAgent Service"
- In reply to: Mike Q: "No Application Logins Allowed - SOX"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
