Best Practice for SQL Server security
- From: "PSPDBA" <DissendiumDBA@xxxxxxxxx>
- Date: 12 Dec 2006 04:34:45 -0800
Our database section is relatively new. The SQL Servers were setup
before our creation and the security is our first area of concern.
Currently, there is a .NET 1.1 COM layer that handles all database
access. It is using a single NT domain account with read/write to all
the databases and execute on the user stored procedures. From what I'm
told, all the business rules for applications (mostly web apps) are
handled in the COM layer.
Our section feels that this is not a secured model from a database
perspective. We want each application to have a unique login to SQL.
Each application would have read/write/execute on its main database as
it does currently, however data access to other databases would be
tightly controlled by the allowing only enough privileges to accomplish
the business objective.
We are hitting massive battles from a small section of our
application developers who insist that the current model is most
secure. Our stance is that we don't trust the middle tier because of
the amount of human coding involved and the lack of auditability on
database security. They have proposed a solution where each COM object
has it's own unique ID, but any application can call any COM object
with read/write/execute in any database - this is not acceptable to us.
My question is - what is the best practice? What are you doing for
security with a "trusted" middle-tier.
.
- Follow-Ups:
- Re: Best Practice for SQL Server security
- From: Uri Dimant
- Re: Best Practice for SQL Server security
- Prev by Date: Re: Deny Create Database in SQL Server 2000
- Next by Date: Re: Best Practice for SQL Server security
- Previous by thread: Re: Deny Create Database in SQL Server 2000
- Next by thread: Re: Best Practice for SQL Server security
- Index(es):
Relevant Pages
|
|
