Solved

What is the minimum SQL security needed for a MS SQL 2005 database?

Posted on 2008-10-10
4
220 Views
Last Modified: 2010-08-05
What is the minimum SQL security needed for a MS SQL 2005 database?

I've setup a database instance and have added a database.  The software that I wrote interfaces the database and adds/updates/removes table data but does not change the database structure.  My concern is that I want to make sure that I'm not giving the user too much access in case they connect with a SQL database manager/etc.

In server roles I've assigned "public" to the user and
In User Mapping I've assigned "db_owner" and "public"

Also, something to consider is that I'm going to have a lot of users being added/removed, so if there's a better way to manage this process please let me know.

Thank you!
0
Comment
Question by:jdraggi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 22690672
db_owner means: full access (including drop table !!!!)
so, remove that ASAP, and instead you might want to specify db_datareader and db_datawriter roles.

side note: lock down sql server 2005 article:
http://duartes.org/gustavo/articles/Lock-Down-SQL-Server-2005.aspx
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 22690685
>>In User Mapping I've assigned "db_owner" and "public"
Not a good practice...the db_owner part.  The idea is to write procs and assign the user permission to run them.  

Are you using SQL Auth?  If so, then the user doesn't really even need to know the userid and pwd. They just connect to the app, and go about their business.  They shoudln't really need to access the db directly.
0
 
LVL 3

Author Comment

by:jdraggi
ID: 22690762
angelIII, We're still in testing at this point so this is very good information.  So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?

chapmandew, Yes, we are using SQL Auth however we also have to support trusted connections as well.  I see your point about not allowing them to even know the username/password however that won't fly with this project.  They also want the ability to create their own reports/etc so the database has to be open but protected at the same time.
0
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 22693124
> So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?
yes, exactly. on all existing and future tables.

0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
Ever wondered why sometimes your SQL Server is slow or unresponsive with connections spiking up but by the time you go in, all is well? The following article will show you how to install and configure a SQL job that will send you email alerts includ…
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question