Solved

What is the minimum SQL security needed for a MS SQL 2005 database?

Posted on 2008-10-10
4
181 Views
Last Modified: 2010-08-05
What is the minimum SQL security needed for a MS SQL 2005 database?

I've setup a database instance and have added a database.  The software that I wrote interfaces the database and adds/updates/removes table data but does not change the database structure.  My concern is that I want to make sure that I'm not giving the user too much access in case they connect with a SQL database manager/etc.

In server roles I've assigned "public" to the user and
In User Mapping I've assigned "db_owner" and "public"

Also, something to consider is that I'm going to have a lot of users being added/removed, so if there's a better way to manage this process please let me know.

Thank you!
0
Comment
Question by:jdraggi
  • 2
4 Comments
 
LVL 142

Expert Comment

by:Guy Hengel [angelIII / a3]
ID: 22690672
db_owner means: full access (including drop table !!!!)
so, remove that ASAP, and instead you might want to specify db_datareader and db_datawriter roles.

side note: lock down sql server 2005 article:
http://duartes.org/gustavo/articles/Lock-Down-SQL-Server-2005.aspx
0
 
LVL 60

Expert Comment

by:chapmandew
ID: 22690685
>>In User Mapping I've assigned "db_owner" and "public"
Not a good practice...the db_owner part.  The idea is to write procs and assign the user permission to run them.  

Are you using SQL Auth?  If so, then the user doesn't really even need to know the userid and pwd. They just connect to the app, and go about their business.  They shoudln't really need to access the db directly.
0
 
LVL 3

Author Comment

by:jdraggi
ID: 22690762
angelIII, We're still in testing at this point so this is very good information.  So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?

chapmandew, Yes, we are using SQL Auth however we also have to support trusted connections as well.  I see your point about not allowing them to even know the username/password however that won't fly with this project.  They also want the ability to create their own reports/etc so the database has to be open but protected at the same time.
0
 
LVL 142

Accepted Solution

by:
Guy Hengel [angelIII / a3] earned 500 total points
ID: 22693124
> So, db_datareader and db_datawriter roles just let them update/add/remove table data, nothing else?
yes, exactly. on all existing and future tables.

0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
PL/SQL query 14 51
Recurring Excel Timelime for Veeam 2 37
SQL Server 2012 Express to Full 5 26
Authentication error 1 0
In this article I will describe the Copy Database Wizard method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
In this article we will get to know that how can we recover deleted data if it happens accidently. We really can recover deleted rows if we know the time when data is deleted by using the transaction log.
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…
Viewers will learn how the fundamental information of how to create a table.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now