May 24, 2006 at 9:54 am
Is there "Best Practices" standard for what type of users should not have Enterprise Manager loaded on their workstations?
May 24, 2006 at 9:58 am
Anyone who doesn't need it. And I would think that includes everybody except DBAs and developers.
John
May 25, 2006 at 7:33 am
It seems like if the server, it's databases and their objects have been secured to only allow access to people who are allowed it, then who actually installs enterprise manager to their desktop is irrelevant. There could be other types of people who need/want enterprise manager, such as analysts. As long as they only have read-only access and access on only the relevant objects, then to my knowledge there shouldn't be a problem. I guess it depends on each companies security requirements.
May 25, 2006 at 7:37 am
In our case we have Help Desk associates who add and delete users on legacy applications, where the application authentication is done via sql login. I was trying to find a way to have them do it without giving them EM.
May 25, 2006 at 7:43 am
Oh wow, so what permissions do those help desk associates have on your server?
May 25, 2006 at 7:50 am
No permissions on the server, but the sql log in they use currently has serveradmin rights on the SQL instance.
May 25, 2006 at 8:47 am
Actually it's relevant from an information disclosure issue. EM is an easy tool to see all the databases and users that exist on a SQL Server. So even though you may be in Finance and have access to the Finance database, you may be able to see that HR's database is also on the same server... SQL Server 2000 has this issue in general, though, so it's not just an EM problem. However, EM, with its GUI, makes it easy for users to see everything.
K. Brian Kelley
@kbriankelley
May 25, 2006 at 10:12 am
Right, thats a good point I didn't think of when I wrote that.
It reminds me of how in college, the universities IT department offered backed up storage space for every person. You could connect to it with an FTP client or a telnet client. With the telnet client you could change directory up above your account and list all of the other user accounts on that server. You couldn't get into anyone elses account, but the directories were named the same as the handle part of every students e-mail address. So you could copy all of the text output from the screen and put into a file, make that file tab seperated, write a quick program that concatenates the @university.edu part of the e-mail address onto it, and you have yourself an e-mail list with every student, faculty and staff member. This potential security problem might allow a disgruntled student upset about a plan to double student fees to pay for a luxury recreation center to mass e-mail your university expressing his concerns about said plan...
My universities exchange e-mail admin was kind of surprised when I explained this to him. So thats kind of similar. Just knowing who and whats on a server is a security probelm.
May 25, 2006 at 11:41 am
Set up the rights so that the Help Desk people can only change login passwords for the legacy applications.
Have them use your choice of query analyzer and learn the ALTER LOGIN syntax.
http://msdn2.microsoft.com/en-US/library/ms189828.aspx
No need for Enterprise Manager, but the burden is on you to lock them down to only necessary tasks.
May 25, 2006 at 1:46 pm
May 26, 2006 at 7:27 am
ALTER LOGIN is for SQL Server 2005... Enterprise Manager is used to manage SQL Server 2000 (and 7.0, since it supported those). SQL Server 2000 uses sp_password, and that requires either a securityadmin or sysadmin fixed server role level to make the change (unless you're changing the password for your own login). An easy way to handle this would be to build a very quick ASP or ASP.NET application that logged on to the SQL Servers with an appropriately leveled account. The web pages are secured using Windows Integrated Authentication in IIS and the files themselves are secured such that only the help desk group has access to them. The IIS would handle authenticating it is a legitimate help desk person and you wouldn't have to grant securityadmin access to every help desk person.
K. Brian Kelley
@kbriankelley
Viewing 11 posts - 1 through 10 (of 10 total)
You must be logged in to reply to this topic. Login to reply