Re: sql server sp_addlogin from vb.net and security !!!!
From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 10/25/05
- Next message: Miha: "Strange Error?"
- Previous message: Dan Guzman: "Re: Cannot change the database owner"
- In reply to: fasttrack via SQLMonster.com: "sql server sp_addlogin from vb.net and security !!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Oct 2005 19:32:15 -0600
Yes there are security problems with this.
Yes the passwords can be read.
Yes you should be using some sort of encryption.
Why would you want a front end application to create
sysadmins anyway? You should very few sysadmins, it
shouldn't be something users are allowed to do, you are
creating sysadmins that are SQL logins who can then create
however many of the same....you could be creating a security
nightmare for whoever has to deal with this server.
Using SQL authentication is less secure than using Windows
authentication. If you were adding windows using, you
wouldn't be passing any password.
Yes it can be seen in clear text and you should use some
type of encryption.
I'd rethink why you want to go down this road and be very
careful and absolutely positive that this would be the only
way to accomplish whatever you are trying to do.
-Sue
On Sun, 23 Oct 2005 13:45:35 GMT, "fasttrack via
SQLMonster.com" <u15121@uwe> wrote:
>A problem of security:
>
>>From a vb.net form I created the chance to add an SQL Server user with role
>as administrator.
>To create it, username and password are retrieved from two text box and then
>the login is created with:
>
>cmdSQL = "EXEC sp_addlogin '" & txtUser.text & "', '" txtPwd.text & "'"
>then the cmdSQL is executed.
>
>Then:
>added to Administrator role as follow:
>cmdSQL = "EXEC sp_addsrvrolemember '" & txtUser.text & "', ' sysadmin'"
>then the cmdSQL is executed.
>
>Everyting works well: user is created in the specified SQL Server and added
>to administrator role.
>
>My question is:
>Doing so...are there problem of security? Password could be read when
>sp_addlogin is executed....?
>
>An encrptyon method must be used?
>
>This is very important because the new user created has administrator
>privilege.
>
>Any help or suggestion may be helpful...
>
>Thank
- Next message: Miha: "Strange Error?"
- Previous message: Dan Guzman: "Re: Cannot change the database owner"
- In reply to: fasttrack via SQLMonster.com: "sql server sp_addlogin from vb.net and security !!!!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
