Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
WIMVM
Starting Member
3 Posts |
 Posted - 2007-05-02 : 08:39:33
|
| Hello,I want to offer a SQL 2005 server in back-end configuration for my hosting clients. Basically this means that they administer the DB with a webbased tool and the DB server it self is configured in the backend and has no direct connect to the internet. The DBs can only be access from the frontend web server.- What security considerations should I take to use this server in a public hosting environment?- We only allow webbased administration, no direct connect to the server are allow and possible.- Multiple databases will exist on the same server from different customers.I really would like to have as many information as possible. There is not much usefull information available on the web or in the books I own about SQL.The question should actually be: what do you want to prevent from happing on your servers by authenticated users and ofcourse unwanted users. And how to do this. |
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2007-05-02 : 10:05:25
|
| Create db user for each customers with limited permission, don't put them in any server role. |
 |
|
|
WIMVM
Starting Member
3 Posts |
Posted - 2007-05-02 : 12:59:13
|
quote:
Originally posted by rmiao
Create db user for each customers with limited permission, don't put them in any server role.
It this secure enough to prevent these users from changing any system related objects or execute for example some system related stored procedures.What kind of access should this db user then have assigned, just dbowner? What do you understand with "limited permission".Thanks already |
|
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2007-05-02 : 14:06:56
|
| If you let them manage db objects, then need db_owner. Otherwise, just db_datareader and db_datawriter plus exec permission on user procedures. |
|
|
|
WIMVM
Starting Member
3 Posts |
Posted - 2007-05-02 : 15:35:46
|
| Sounds logic. But will this prevent them from executing for example buildin stored procedures, so basicallt SPs that aer not created by themselves but standard available for any dbowner or user. I am think about xp_... etc... |
|
|
|
rmiao
Master Smack Fu Yak Hacker
7266 Posts |
Posted - 2007-05-02 : 22:46:48
|
| Sql grants basic permission to users by default, should be sufficient in most case. |
|
|
|
DBSEC
Starting Member
2 Posts |
Posted - 2007-06-07 : 17:53:30
|
quote:
Originally posted by WIMVMThe question should actually be: what do you want to prevent from happing on your servers by authenticated users and ofcourse unwanted users. And how to do this.
Make sure the 'sa' account cannot be used from the web servers/IIS. Search for database authentication products. Look there: www.sqlsecurity.com. |
|
|
|
|
|
|
SQL 2005 in hosting environment