October 28, 2024 at 2:38 pm
Good Afternoon,
We recently procured a service management software for our company, which uses SQL server 2019( 15.0.2125.1) as backend.
The client application uses sql usernames to login into the application . I find this as a security issue, as any internal user can directly connect to the server either through ODBC or through SSMS itself using the application username and password given to them.
Ideally application users have to be handled within the application and clients will not be using sql usernames to login into the application, bit surprised why this application is designed this way.
Can anyone please throw some light into how this can be sorted out ? Is there any firewall available which can be configured in such a way that it will look for the name of the application from the incoming connection ?
Thank You!
October 28, 2024 at 4:45 pm
A poor man's solution: logon-triggers https://www.sqlshack.com/prevent-sql-server-login-authentication-scope-using-logon-trigger/
October 28, 2024 at 5:08 pm
I'd also have a meeting with the 3rd party creators of the software and ask them to fix it.
As a bit of a sidebar, this is one of the many things I check for before ok-ing 3rd party software.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 3 posts - 1 through 2 (of 2 total)
You must be logged in to reply to this topic. Login to reply