Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
kbdrand
Starting Member
14 Posts |
 Posted - 2002-10-29 : 16:23:05
|
| We have an application that uses a username and password for access to the SQL Server that has been given basically 'sa' access. We would like to restrict use of this username/password to only a handful of IP addresses or hosts to ensure that a casual user could not use the account to gain unrestricted access.Is there a way to restrict login of a particular account to a particular IP range, or IP address or host name, etc? |
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-10-29 : 16:32:17
|
| Not through SQL Server directly. You can set up some firewall software or use the Windows computer management functions to set up IP filters. In all honesty though, that is not a good way to do it.NOBODY, ABSOLUTELY NOBODY, should be using "sa" to do work or connect to SQL Server. EVER. Every administrator needing sa access should have their own login with the appropriate permssions. DO NOT SHARE logins between administrators. Doing that will go a long way, if not all the way, towards securing your server from unauthorized access; failure to do so will never fully guarantee against it.If you can take advantage of Windows authentication then I suggest you do so, since the Windows network can utilize stronger security than SQL Server authentication. In any case, stop using sa RIGHT NOW, change its password, and create logins for those people who need the access. |
 |
|
|
kbdrand
Starting Member
14 Posts |
Posted - 2002-10-29 : 16:36:10
|
| I'm sorry, I didn't really explain it well. We aren't using 'sa', we are using an account for the application that has complete control over that particular database. We don't want a user getting access to that account since the database contains sensitive financial data and users should be restricted to their Windows authentication. The problem lies in the fact that while we have control over the physical database machine, we have no control over the application development platform, nor do we have control over the application developers, so they could give out this application username and password to anyone and we have no way to stop them from using that account since it has to be enabled for the application to function. |
|
|
|
robvolk
Most Valuable Yak
15732 Posts |
Posted - 2002-10-29 : 17:29:55
|
| I think you need to get back to the application developers then. If you're responsible for keeping the data secure, you need to impress upon them that THEY need to comply with YOUR needs, not the other way around. Especially if they don't offer to be fully responsible for any security breaches that occur...since THEY can give out the password to anyone, THEY are the people most likely to cause problems.And there's no reason for them to get pissy about using Windows authentication. It's just as easy to use as a SQL Server login. In fact it makes the connection code a little easier and far more secure.There's only so much security you can get out of IP filtering anyway, since any moron end-user can walk away from their computer while it's logged in and someone can use it while they're gone. While this can happen with Windows authentication too, you can set up a forced re-login protocol, and whoever does log in will use their login and password, not some common login.Don't forget that you DO have control over the logins the developers use, and if breaches occur, everyone could end up locked out until you find out who did it. If you can't get them or their superiors to see that, then at least make sure your boss knows. |
|
|
|
|
|
|
|
|
User/Application access from an IP address?