Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

sql server - server level logins for apps

Posted on 2014-04-10
3
440 Views
Last Modified: 2014-04-29
is it common for applications with an underlying sql server database, to have a high number of server level logins for users of the application? Or can this be seen as a security issue? I am not a developer so unsure how the applicaiton and underlying DB typically interact.
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 30

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 39992731
'High number' is relative.  

When you say server level logins, you mean actual login credentials that exist to allow users to authenticate, and permit database users to be associated?

I don't see many applications which establishes a sql login per user of the application.   I can only think of one application I currently support that does this, and it's been limping along for decades, and will be end of life in 2017.  I'd be surprised to see another application do this, but in some ways it's more secure than some of the other security systems I've seen implemented.  (It is, however, a support challenge, and means that support of the application will require some database server role that I would prefer not to have to hand out.)

Slightly more frequently, an application will take advantage of Windows Integrated (Active Directory) credentials, and I can put a domain group in SQL security, the user can only access the database if they are in the correct group -- then the application has it's own internal authentication system internal to the application.  

Most frequently, I see a web based application which gets a small group of login/users, and the application takes care of all the actual user authentication completely invisibly to SQL.  (And in this case, I have to settle for a login who can read/write to necessary tables, a different login which is only used for updating the schema, and if I'm lucky - a third login which can only read some necessary tables.)   (Tragically, I frequently see third party applications which expect to install it's database as sysadmin, and run all it's communication from it's web application as sysadmin.  My server admins enjoy watching my hair stand up on end when vendors mention that this how their software installs...)

Does that help?  Or did I go off in the wrong direction?
0
 
LVL 3

Author Comment

by:pma111
ID: 39992748
Great help thanks
0
 
LVL 3

Author Comment

by:pma111
ID: 39993590
?>>When you say server level logins, you mean actual login credentials that exist to allow users to authenticate, and permit database users to be associated?


Yep, anything listed in sys.syslogins
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Problem with email format from SQL DB 4 34
Download ms sql express. 2 23
sql server query 18 33
RESTORE MASTER DATABASE -- NOW 2 14
Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question