February 13, 2013 at 8:21 am
Hello
I have an application that dynamically creates databases.
I have a 2nd application (McAfee) that needs to have a user for all databases in the one instance. (the instance where the dynamically created databases go)
The vendor recomends giving the "SQL McAfee user" sysadmin so that the application will automatically have access to the dynamically created database.
Is there another option? Handing out sysadmin rights to a login for an application creates a security risk.
Thanks
Dave
February 13, 2013 at 9:37 am
I agree that granting sysadmin to extra users is a security concern that should be talked through. The alternatives I see are:
1. Have McAfee run as a Windows account that has the sysadmin server role where the password doesn't change, but this is effectively the same thing.
2. Use EXECUTE sp_addrolemember to grant db_owner (or another level of permissions) to the user McAfee is using.
3. Something else I haven't considered. I'm not that familiar with virus scanners running across SQL Server databases, so I'm not the best source of information on it. I would think, however, that running McAfee would slow things down.
February 13, 2013 at 12:45 pm
I like option 2 and that can be achieved dyanmically using a DDL TRIGGER such that every time a database is created a new Database User is add for the McAfee Login and it is added to the db_owner Role.
Re: #3, I would also be leary of what McAfee is doing in terms of slowing things down.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
February 13, 2013 at 1:12 pm
Agreed. Unfortunately, McAfee slows everything down.
February 13, 2013 at 4:49 pm
My general rule is that whenever a third party application requires privileges beyond dbowner on its own databases, it gets its own instance.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply