Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

What is the minimum SQL security needed for a MS SQL 2005 database?

Posted on 2008-10-10
4
Medium Priority
?
231 Views
Last Modified: 2010-08-05
What is the minimum SQL security needed for a MS SQL 2005 database?

I've setup a database instance and have added a database.  The software that I wrote interfaces the database and adds/updates/removes table data but does not change the database structure.  My concern is that I want to make sure that I'm not giving the user too much access in case they connect with a SQL database manager/etc.

In server roles I've assigned "public" to the user and
In User Mapping I've assigned "db_owner" and "public"

Also, something to consider is that I'm going to have a lot of users being added/removed, so if there's a better way to manage this process please let me know.

Thank you!
0
Comment
Question by:jdraggi
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 143

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 22690672
db_owner means: full access (including drop table !!!!)
so, remove that ASAP, and instead you might want to specify db_datareader and db_datawriter roles.

side note: lock down sql server 2005 article:
http://duartes.org/gustavo/articles/Lock-Down-SQL-Server-2005.aspx
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 22690685
>>In User Mapping I've assigned "db_owner" and "public"
Not a good practice...the db_owner part.  The idea is to write procs and assign the user permission to run them.  

Are you using SQL Auth?  If so, then the user doesn't really even need to know the userid and pwd. They just connect to the app, and go about their business.  They shoudln't really need to access the db directly.
0
 
LVL 3

Author Comment

by:jdraggi
ID: 22690762
angelIII, We're still in testing at this point so this is very good information.  So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?

chapmandew, Yes, we are using SQL Auth however we also have to support trusted connections as well.  I see your point about not allowing them to even know the username/password however that won't fly with this project.  They also want the ability to create their own reports/etc so the database has to be open but protected at the same time.
0
 
LVL 143

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 2000 total points
ID: 22693124
> So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?
yes, exactly. on all existing and future tables.

0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Via a live example, show how to extract information from SQL Server on Database, Connection and Server properties
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question