SQL server -- prevent application end users from loggin to sql ser
- From: Kumar <Kumar@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 18 Aug 2006 14:56:02 -0700
Hi Folks,
We have some inhouse applications developed using microsoft technologies
like C#.net,asp.net and sql server 2000.
All our applications end users are sql users in that sqlserver with their
windows domain credentials.
Recently Sarbanes-Oxley Audit conducted in our company.
One of the questions they asked is as given below.
1.How will you prevent end users of application to connect directly to sql
server and changing data in side the tables itself directly?
I replied as below.
1. 75% of end users are not that technical enough to connect directly to sql
server and changing data in side the tables itself.
2.There are no SQL-Client tools(query analyzer,sql enterprise manager, etc.)
installed in Application end users desktop's . So there is no-way for them
to connect to server
directly.
3.Even if they download directly from website, windows users rights will not
allow them to install clients tools on their desktops.
4.If they get their own laptops which has sql client tools, they are not
able to login to that system, using their normal domain credentials,
as their laptop name didn't exist in our company directory.
so they there is no way for them to connect to any of our sql servers
directly from their client tools.
5.Application end users doesn't have any access (digital access,physical
access) to that sql server box directly.
They ran sp_helprotect on our application databases. In that they found
Application End users has Insert,update,delete previleges for some of the
tables.
That is causing more concern for audit team. Their question is as below.
As they (end users) have update,delete rights on those tables, they can
change the data directly ? How you prevent them from changing data by
directly connecting to sql
server?
They didn't get satisfied with my above answers.
What should I tell them ?
we can revoke that insert,update,delete previleges on those tables, but it
needs many resources to test the entire application after revoking of those
previleges.
As all our developers working on bunch of other projects currently, they
don't have time to look into this issue and fix the existing applications.
As a DBA, How can I prevent them from logging into the SQL server directly
using sql client tools and changing the data ?
Is there any sql scripts to lock down the users to prevent them from
connecting directly to sql server ?
We need to allow them only from the our applications, not from any other
applications/sql client tools.
How can we achive that?
Atleast SQL server 2005 has that kind of ability?
Any kind of help is greatly appreciated.
--Kumar
.
- Follow-Ups:
- Re: SQL server -- prevent application end users from loggin to sql ser
- From: Arnie Rowland
- Re: SQL server -- prevent application end users from loggin to sql ser
- Prev by Date: How to validate a domain name
- Next by Date: Re: SQL server -- prevent application end users from loggin to sql ser
- Previous by thread: How to validate a domain name
- Next by thread: Re: SQL server -- prevent application end users from loggin to sql ser
- Index(es):
Relevant Pages
|
|
