use one sql server authentication for many users?

Posted on 2006-05-19
Last Modified: 2010-03-19
I am using mixed mode for SQL Server. Most of our users will use mixed mode so I created one account for all users. I connect to the server but I always connect and disconnect the record set in other words there are no record set connection left open duration of the program.

I have a table that consists of users and each user has different rights to different parts of the program. i.e. one user may not have the rights to use accounting section of the program. When they launch the program, it asks the user for user name and password but that is just to authenticate the user and to setup the application layout. When the user connects to the database, it uses a different user name and password to authenticate the sql server account.

SQL Server Authentication
User id: General_user
Password: zeus

Lists of all users with password and varies fields that have the users’ rights value.

Is this a typical practice or what?

Question by:lunchbyte
    LVL 142

    Assisted Solution

    by:Guy Hengel [angelIII / a3]
    >Most of our users will use mixed mode
    this is "nonsense". let me explain.

    In SQL Server, you have 2 types of LOGINS:
    * SQL Server logins:
      -> SQL Server stored the name and password for the login
    * Windows Authenticated logins
      -> SQL Server only stores the name of the windows NT User OR NT Group

    SQL Server can run in 2 modes:
    * Windows Authentication mode
      -> only Windows Authentication logins will be allowed to login; SQL Server logins will be blocked
    * Mixed mode
      -> both types of logins are allowed

     when a user connects with a USERNAME/PASSWORD, he is using SQL Authentication, the USERNAME actually being the LOGIN name.
     to use Windows Authentication, the application has to specify a special connection string that indicates to use Windows Authentication.
    SQL Server does not allow any windows account by default, you have to create those nt-based logins in sql server for those NT accounts that you want to grant the relevant permissions

    LVL 11

    Accepted Solution

    I think what he meant was that the application has a login/pwd hardcoded into the client-program that is able to connect to the server. (SQL-security)
    Additionally, the client application will ask for 'another set' of login/pwd and will verify that against the information stored in some user-tables in the database. (application security)

    I don't think it is uncommon, but I would not recommend it either. If someone ever managed to find the hardocoded values (amazing things can be done using a hex-editor, or even notepad), he would most likely have full access to the database.

    The way we do it here is by
    * giving each user a specific login (either by allowing there windows-account to connect, or by giving them a unique login/pwd)
    * configure the security on the database so the users have only got access to a limited number of procedures (or views) and each of those (procedures or views) have a check built in that will verify if given login has sufficient access based on the data in the security related user-tables mentioned above.

    If ever a user needs to be able to execute some dynamic sql or stuff on objects he normally would not have access too, our appliction will load an encrypted appliction role and password from a configuration table, decrypt it, create a new connection, activate the application role, do whatever is needed and drop the connection again.

    Works fine for us and we haven't found anyone 'breaking the system' yet.


    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
    Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
    Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.
    Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now