March 14, 2008 at 7:24 am
Hello all,
Maybe you can help me with this security related question:
I have set up a website; the access to the website is such that when an anonymous user connects, a Windows domain account will be used. The website uses a SQL Server 2005 database.
The Windows domain account is a member of a local group; this local group has been added as a user to the database, and has been given the appropriate permissions to stored procedures.
This works.
My question:
Which security risk(s) do I introduce if I bypass the local group, and add the domain account directly as a login to the sql server, and add the login as a user to the database?
thanks,
Hans
March 14, 2008 at 7:31 am
I don't think there's any security risk by adding a login for the domain account. The reason why it's recommended to use groups is purely to reduce administrative efforts.
In your case there you have just one generic account, which to me seems to be used like a proxy account, it won't make a difference.
[font="Verdana"]Markus Bohse[/font]
March 14, 2008 at 7:39 am
Thank you for this swifft reply Markus.
What I noticed is that I did not have to grant access rights explicitly to stored procedures when I added the domain account directly as a user to the database.
When the access was arranged via the local group, I had to grant these rights explicitly. I wonder if the domain account (a member of domain users, nothing special) gets these permissions by default somehow?!
Hans
March 14, 2008 at 8:02 am
That's strange.
Are you sure you gave the domain account exactly the same permissions in the databases than the group? By default only db_owner and sysadmins can execute stored procedures without explicit grant.
[font="Verdana"]Markus Bohse[/font]
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply