Third Party Access to Internal SQL Servers

  • We have a hosted SQL server with various internal applications on it. It has been decided by on high that the same server will also have a database from a third party on the server. The third party have asked for full system admin rights on the SQL server.

    Obviously I am not going to grant that access level as it gives them full control on the box. From my viewpoint read and write access to the data can be tolerated but anything else will be denied. Would you consider this standard and is there any documentation with recommendations for control of external suppliers ?

    I am sure that they shouldn`t be doing any work on tables structure, sp`s etc on a live database. That work should be tested, scripted etc and then run on in a controlled environment by my company.

    Anyone have any advice ?

    Thanks

    SI

  • It depends on support arrangements in place between your company and theirs. If they insist on more than read / write access to the database and need sysadmin rights to the sql server you could perhaps install a second instance with their database only on it.

  • Thanks for such a quick response. I ran that by them before actually though, and they are adamant that their application will only see the defualt instance. Plus I believe it has a negative affect on the way that we have set up DR on the box.

    Cheers

  • I would say give them read-only access, and if they want anything changed, ask them to supply you with a script. I think if you go for anything less than that, your auditors will pull you up on it.

    John

  • Thats certainly my thinking. With open access they can do serious damage by mistake which might not just be limited to their application but could impact accross the board.

    I`m sure there must be something in ISO 27001 which would convince my board that locking them down is the way forward. Just can`t put my finger on anything at the moment.

  • Unless it is hard-coded to only use the default instance (CRM 3.0 was this way at first), you can fool the application with an alias at the application server. So you can still give them a named instance and the app think it's a default instance. With that said, it should be your management that determines whether or not said 3rd party can have the access they need. When you explain the risk to your own databases, maybe someone will cough up for another server or go back to said 3rd party and say, "No. You get read/write on your DB and that's it."

    K. Brian Kelley
    @kbriankelley

  • there are cases where the 3rd party vendor might have a legitimate need to the system as a whole...

    especially if they are not only providing the application, but also supporting and administering it.

    performance monitoring, security/user setup, day to day maintenance/management...

    If it is that critical of an issue, you should put it on a dedicated server.

    just my $.02

Viewing 7 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic. Login to reply