Solved

What is the minimum SQL security needed for a MS SQL 2005 database?

Posted on 2008-10-10
4
210 Views
Last Modified: 2010-08-05
What is the minimum SQL security needed for a MS SQL 2005 database?

I've setup a database instance and have added a database.  The software that I wrote interfaces the database and adds/updates/removes table data but does not change the database structure.  My concern is that I want to make sure that I'm not giving the user too much access in case they connect with a SQL database manager/etc.

In server roles I've assigned "public" to the user and
In User Mapping I've assigned "db_owner" and "public"

Also, something to consider is that I'm going to have a lot of users being added/removed, so if there's a better way to manage this process please let me know.

Thank you!
0
Comment
Question by:jdraggi
  • 2
4 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 22690672
db_owner means: full access (including drop table !!!!)
so, remove that ASAP, and instead you might want to specify db_datareader and db_datawriter roles.

side note: lock down sql server 2005 article:
http://duartes.org/gustavo/articles/Lock-Down-SQL-Server-2005.aspx
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 22690685
>>In User Mapping I've assigned "db_owner" and "public"
Not a good practice...the db_owner part.  The idea is to write procs and assign the user permission to run them.  

Are you using SQL Auth?  If so, then the user doesn't really even need to know the userid and pwd. They just connect to the app, and go about their business.  They shoudln't really need to access the db directly.
0
 
LVL 3

Author Comment

by:jdraggi
ID: 22690762
angelIII, We're still in testing at this point so this is very good information.  So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?

chapmandew, Yes, we are using SQL Auth however we also have to support trusted connections as well.  I see your point about not allowing them to even know the username/password however that won't fly with this project.  They also want the ability to create their own reports/etc so the database has to be open but protected at the same time.
0
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 22693124
> So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?
yes, exactly. on all existing and future tables.

0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Everyone has problem when going to load data into Data warehouse (EDW). They all need to confirm that data quality is good but they don't no how to proceed. Microsoft has provided new task within SSIS 2008 called "Data Profiler Task". It solve th…
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
Via a live example, show how to shrink a transaction log file down to a reasonable size.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question