December 15, 2003 at 8:54 am
We want to upgrade to MSDE as our db engine, but have the requirement to handle security separate from NT. We must prevent clients who will have a stand-alone instance from altering data. In the non-MS db currently in use, it is easy to have the application control all security to the db without known ways to break in and alter things.
Is there a way to alter MSDE security to have db-only mode instead of integrated or mixed mode? This may be a deal breaker.
Thanks,
Mike
December 15, 2003 at 10:37 am
MSDE security works much like SQL Server security. You can never turn off Windows integrated security; you can only turn off SQL Authentication.
However, you should be able to remove the local administrators group from the MSDE logins. (I say should, since I don't have an MSDE installation at present to test with.) Be sure you're not logged onto MSDE as a Windows administrator when you do this.
It's also worth mentioning that while MSDE doesn't come with client tools such as Enterprise Manager, EM can connect to MSDE just as it connects to any SQL Server.
December 15, 2003 at 11:42 am
Will the database be on the same computer as the end user?
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
December 16, 2003 at 10:39 am
This is for an application that will exist entirely at a clientn site. Both DB/app will be on the same PC.
A similar requirement may be to have a table that the application records actions and cannot be modified. i.e. Like you need a permanent record the windows userid of the person who wrote a check. This is a legal requirement we can't work around, and user education is not an allowed solution.
Thanks,
Mike
December 16, 2003 at 11:16 am
Unfortunately, a savvy user, regardless of database package is going to find a way around. In this particular case, stop the MSDE service, install a regular version of SQL Server, attach the databases to the new SQL Server, make the change, stop SQL Server, restart MSDE. You get the idea.
But yes, you should be able to remove BUILTIN\Administrators and this is, by default, the only Windows logins for MSDE and SQL Server. I have an article that talks about the gotchas, but most of them apply to the full blown version of SQL Server.
K. Brian Kelley, GSEC
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
K. Brian Kelley
@kbriankelley
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply