Only Use My Application

  • Comments posted to this topic are about the item Only Use My Application

  • The most appropriate solution is create a custom logon trigger. So I would say there is no appropriate solutions in the provided list...

    For example, -mSQLCMD limits connections to a single connection and that connection must identify itself as the SQLCMD client program.

    In this case it will be only one connection from SQLCMD, you won't be able to create another session to the same instance using the same application. So this is incorrect as well. :blink:

  • Very interesting question, thanks Steve.
    However, the -m parameter implies single user login mode. ths, in turn, implies only one session for the one login.
    However, if the aim is to have multiple users connecting via a given application this would not work...

    ____________________________________________
    Space, the final frontier? not any more...
    All limits henceforth are self-imposed.
    “libera tute vulgaris ex”

  • My apologies, as this one had poor wording. I should have specified one connection from one application.

    Points awarded back and the question clarified.

  • Glad I didn't see the previous version.  I found myself really thinking it through because I never use it.

  • Very good question. Very clear when I read it. Learnt something new as well.

  • We use a logon trigger

  • The referenced page mentions that the connection must identify itself as the application in question.  I answered that this isn't possible, since any connection can identify itself as any application.

    John

  • John Mitchell-245523 - Tuesday, May 30, 2017 5:52 AM

    The referenced page mentions that the connection must identify itself as the application in question.  I answered that this isn't possible, since any connection can identify itself as any application.

    John

    +1

    Far away is close at hand in the images of elsewhere.
    Anon.

  • John Mitchell-245523 - Tuesday, May 30, 2017 5:52 AM

    The referenced page mentions that the connection must identify itself as the application in question.  I answered that this isn't possible, since any connection can identify itself as any application.

    John

    +1

    97 percent KO Derf

  • I'm glad I didn't see this before it was corrected, but even after correction I think it's a somewhat infelicitous question. 

    It is a matter of guessing whether the correct answer is the first option or the 4th option.   I picked the 1st option despite knowing it to be a very bad answer from a security point of view (it's an utterly insecure method of attempting to restrict connection to a single application) because the restriction to only one connection was there, and as a result it looked as if it wasn't intended to be a security question but something about some once in a while operational thing where security probably wouldn't be an issue (hence utterly insecure, because where people say "security probably isn't an issue" is usually where security is badly broken).

    Tom

  • +x

    TomThomson - Tuesday, May 30, 2017 7:25 PM

    I picked the 1st option despite knowing it to be a very bad answer from a security point of view 

    I picked the 4th because the question was "Only Use My Application", guessing the question was about limiting USERS to use sql with a provided, trusted, application. In that case, 1th answer is not correct because nothing can prevent the user to lanch any other application that presents itself with the allowed name.

  • zerbit - Wednesday, June 7, 2017 6:31 AM

    +x

    TomThomson - Tuesday, May 30, 2017 7:25 PM

    I picked the 1st option despite knowing it to be a very bad answer from a security point of view 

    I picked the 4th because the question was "Only Use My Application", guessing the question was about limiting USERS to use sql with a provided, trusted, application. In that case, 1th answer is not correct because nothing can prevent the user to lanch any other application that presents itself with the allowed name.

    I tend to agree, the first option is a bad answer and the 4th option is a good one.  But the "correction" didn't make any difference to anything but the first option, and merely made the question wording more inclined towards the 1st option, so that seemed to me to indicate that the intention of teh question was the first option despite it being utterly insecure.

    Tom

  • It's not utterly insecure. It's just not perfectly secure.

    I can pick an application name and limit connections to that application name. I would easily wager the vast majority of cases this is sufficient security for the window in which it's involved. Your complaints seem to center on this idea that a hacker would be able to figure out the name and then set a connection string to get to the server before you could.

    This is a part of single user mode, which for SQL Server means very rare time periods when an admin needs to perform some maintenance or administrative change.

    In  terms of a valid administrative strategy, where I want to prevent SQL Agent or some client application from connecting, this solves the issues, quizzes someone on the option, and teaches others.

    I'll stand by the question from a practical standpoint.

  • Steve Jones - SSC Editor - Thursday, June 8, 2017 10:05 AM

    It's not utterly insecure. It's just not perfectly secure.

    I can pick an application name and limit connections to that application name. I would easily wager the vast majority of cases this is sufficient security for the window in which it's involved. Your complaints seem to center on this idea that a hacker would be able to figure out the name and then set a connection string to get to the server before you could.

    This is a part of single user mode, which for SQL Server means very rare time periods when an admin needs to perform some maintenance or administrative change.

    In  terms of a valid administrative strategy, where I want to prevent SQL Agent or some client application from connecting, this solves the issues, quizzes someone on the option, and teaches others.

    I'll stand by the question from a practical standpoint.

    Yes "utterly insecure" was an overstatement, I should have said something milder.  But...it isn't completely secure, so it's insecure, not secure.   Is the practical case a genuine one-off, or is some event that causes restriction to this single application to be required now and again - or even worse, at regular predictable intervals?  In the latter case, it's maybe not secure enough.   In the former case, it's probably secure enough for most purposes.  For rare reptetition and unpredictable times, it may well be secure enough but it could potentially be not secure enough (depending on how much harm someone else hijacking that one connection could inflict).

    Tom

Viewing 15 posts - 1 through 15 (of 15 total)

You must be logged in to reply to this topic. Login to reply