Re: Is there an alternative to disabling windows authentication?



John,

You can't 'block' Windows Authentication -but you don't have to accept any
Windows login accounts into your server.

Don't map any domain accounts to SQL Logins or and/or database roles, and
don't provide any specific permissions to the PUBLIC role -and domain users
'should' be kept out of your database.

--
Arnie Rowland, Ph.D.
Westwood Consulting, Inc

Most good judgment comes from experience.
Most experience comes from bad judgment.
- Anonymous

You can't help someone get up a hill without getting a little closer to the
top yourself.
- H. Norman Schwarzkopf


"jwbutler via SQLMonster.com" <u16619@uwe> wrote in message
news:689a9031677c2@xxxxxx
Arnie,
Thanks for the advise. I must not have explained it well enough. The
other
sql logins provide access to different modules of the system not users.

John

Arnie Rowland wrote:
Don't provide any Windows login accounts permissions to log into the SQL
Server. Remove domain accounts from the Local Administrators.

And to a more salient point: Why on earth are you providing all users
database access as 'sa'?

Since all users are 'sa', the roles are useless because they are all
system
admins in the SQL Server. That is the most egregious security breach
imaginable. Any user that knows (or learns) how to use Excel to connect to
SQL Server, or installs an eval version of SQL Server and client tools
(meaning Enterprise Manager and Query Analyzer) will have the ability to
muck up your data and/or schema.

I surely hope that this isn't a regulated market that has to comply with
HIPAA or SARBOX -the application will fail the security audit.

I'm a third party developer and my database gets installed on all types
of
network setups. I can't control the active directory settings for the
[quoted text clipped - 19 lines]
what
I've read this can not be done. Is there another way to accomplish
this?

--
Message posted via SQLMonster.com
http://www.sqlmonster.com/Uwe/Forums.aspx/sql-server-security/200610/1



.