Re: Visual Studio gives direct dbo access to Sql Server 2000 ??? <<Update>>

From: BBFrost (barry.b.frost_at_remove_this.wrd.state.or.us)
Date: 07/19/05 

Date: Mon, 18 Jul 2005 16:43:17 -0700

New Info ...

A couple of the developers turned out to be NT Domain administrators. We
removed the developers from the NT Domain Admin list and they now have to
login (over and over again) to access their tables. They're not very happy.
So far it seems that being an NT Domain Administrator allows one to "Blow
Right past" Sql Server's Security checks and access the server with "dbo"
rights.

Can anyone elaborate on what's going on here ??? Is there a way to allow
the developers to be NT Domain Admins without automatically granting them
"cart blanc" DB access ??

Again ... Thanks in advance.

Barry
in Oregon

"BBFrost" <barry.b.frost@remove_this.wrd.state.or.us> wrote in message
news:ew9p9j#iFHA.2472@TK2MSFTNGP15.phx.gbl...
> Greetings,
>
> I'm a new Sql Server administrator and I just received a shock ... We've
> set up a pretty much default instance of Win2003 server and SqlServer
2000.
>
> Just told the developers that I'd set up a test Sql Server instance and
told
> them the name. Shortly there after I found that they were connecting from
> Visual Studio are getting automatic 'dbo' access.
>
> Tables and views are popping up all over the place, all owned by dbo and
I'm
> having a tough time figuring out what's going on.
>
> I've set the Sql Server 2000 Security parameters to "Sql Security &
Windows"
> and I've created individual user accounts for our test database. (The
> security options I see are "SQL Server and Windows" & "Windows Only".
> Selecting "SQL Server and Windows" doesn't seem to limit the developers
from
> charging in with "Window Only" access.
>
> For example "smithca" has a Windows NT Domain account and Visual Studio.
>
> Within the test_db_server database I've created a "smithca" user account.
>
> With the test_db "smithca" has been granted the "public" roll.
>
> When "smithca" fires up Visual Studio Server Explorer, points at
> "test_db_server" and creates a "Window NT integrated security" account.
> WHAM! He's got "dbo" access to the database.
>
> From what I can see any developer can log into any database (test or
> production) with full DBA permissions.
>
> Afraid ... very afraid !!!
>
> Any help with this would be greatly appreciated !!!
>
> Thanks in advance
>
> Barry
> in Oregon
>
>
>

Relevant Pages

  • Developer Account Privileges
    ... developers as domain administrators and thought of removing ... administration privileges. ... This seems to break the debugging of ASP.Net ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: How to create views with SQL-NS
    ... >> What programming language are you using for your Wizard? ... all of our developers have EM and QA. ... >>>creation within our security model that sits atop SQL Server. ...
    (microsoft.public.dotnet.framework.interop)
  • Re: Future of ADPs
    ... "Developers", that really started in Access and continued with Access ... Ms Access ADPs and SQL Server 2005 Express ... SQL Server 2005 Express and ASP.Net, ... Reports to design your reports. ...
    (microsoft.public.access.adp.sqlserver)
  • RE: MS SQL Farm
    ... Regards ... > infrastructure that will help us leverage MS Sql server. ... > implementation and design will be done by us developers. ... > development/test and production servers with stand by servers. ...
    (microsoft.public.sqlserver.clustering)
  • Re: DAO vs ADO
    ... In the past I have had my differences with Joe as he comes from the SQL side ... I am not sure if SQL Server 2005 has blown it or not, ... Access is a wonderful front end development tool for database developers ... maybe we could let all the programmers go and use whatever the latest ...
    (microsoft.public.access.conversion)