January 25, 2010 at 5:54 pm
This response is directly to the editorial - I haven't read any of the other comments yet.
I don't know why anyone is looking at DB security as something separate from system security; if your system is not secure, what's the point of securing your DB? You think that somehow you cankeep the DB services going if all the servers on which they could run are taken out? If you think that, you are crazy!
I do understand that there are idiots out there who demand full sysadmin priviledges to run their applications. The sensible thing to do is to ban those idiots from your system - not to allow your security to be wrecked. So, for example, if that means you can't use SAP because IBM's SAP consultants are not prepared to work securely, ditch SAP - don't ditch common sense instead (IBM officially agrees with me - but in practise it won't control those consultants; see for eample the comments at http://forums.theregister.co.uk/forum/1/2010/01/22/somerset_police_computers, where the first comment is pretty scary and a later comment includes th arather frightening statement: "I too am deeply concerned about the security aspects of the various implementations - the consultants seem to take the view that they own everything and expect to be able to gain full admin access without so much as a "by your leave" - but woe betide anyone that dares to question what they are doing. SAP actually have specific processes and procedures that ALL consultants are supposed to follow - yet it is clear that few if any know about these and none seem to follow them").
The example I have quoted is IBM approved consultants with SAP - but don't take that as anti-IBM or anti-SAP: there are loads of applications out there from loads of vendors that require consultants to install and configure them (either because the vendor won't tell the cusomer how - whether because they want to lock in the consultancy fees or because they don't actually know themselves - or because the configuaration UI requires a PhD in CS plus a PhD in accountancy plus an MBA plus 10 years experience of using the product to understand it) and SAP is not (quite) the worst.
I for one am an advocate of using only NT authentication - no SQL logins exept for any needed to provide remote access from untrusted domains. This seems to be diametrically opposed to what Steve is suggesting in the editorial - and that worries me a great deal, as I usually agree with what he has to say.
Tom
January 25, 2010 at 5:58 pm
Ben Leighton (11/20/2009)
majorbloodnock (11/20/2009)
Japie Botma (11/20/2009)
Recommended or not. This is what the auditors want in a corporate world. To prevent network administrator access.I agree, and I must admit there are one or two instances where I'd like it too. I know it's possible to amend the security of a SQL server so the built in Administrators group doesn't automatically have God rights, but it's still a mighty big assumption that any of your AD admins should have access to do anything with corporate databases by default. In my experience, few people with the skills to administer an Active Directory domain also have the skills necessary to be an effective DBA.
I think you are missing the poiint... Windows authentication is just that... authentication. It tells sql server that you are one of a group of people authorised to work on a network... Thus it is not just possible to amemd the security of a sql server it is crucial... You don't control access to your data via authentication you do it through the various security roles schemas etc that you set up within your server which authorise access...
The point however is that if you remove windows authentication you remove the possibility of an extra layer of security because if a user just has a sql password how do you know they are an authenticated user on your network? That may not matter in all instances but why would you really want to remove it?
This looks to me like a total failure to underatsnd how SQL authorisation works. Users (inclusing NT users) should be assigned to roles. The roles are purely internal to SQL server, and control everything to do with authorisation. Letting NT do the authentication has no effect on the control, in SQL, of authorisation.
Tom
January 25, 2010 at 6:16 pm
Gift Peddie (11/20/2009)
You want to explain why there are no roles in Windows and there is roles in SQL Server from the time I have been using it which is 7.0 and up
That's a really bizarre statement!! Windows has had roles ever since I can remember - they have been called something different, but they control what the user can do, just like an SQL server role controls what its member users can do. Just to make it even more bizarre, Windows users can be added to SQL Server roles exactly as SQL users can - so what feature of roles do Windows users lack?
[edited to fix a typo (misplaced "s")]
Tom
January 25, 2010 at 6:29 pm
Tom.Thomson (1/25/2010)
Gift Peddie (11/20/2009)
You want to explain why there are no roles in Windows and there is roles in SQL Server from the time I have been using it which is 7.0 and upThat's a really bizarre statement!! Windows has had roles ever since I can remember - they have been called something different, but they control what the user can do, just like an SQL server role controls what its members user can do. Just to make it even more bizarre, Windows users can be added to SQL Server roles exactly as SQL users can - so what feature of roles do Windows users lack?
You are talking about groups which I know have changed in every Windows I have used. Why those can be imported is because that is how Microsoft wanted it not really related to roles in SQL Server because with Windows authentication without an application context AD resolves the user.
Kind regards,
Gift Peddie
January 26, 2010 at 6:50 am
Tom.Thomson (1/25/2010)
This response is directly to the editorial - I haven't read any of the other comments yet..... If you think that, you are crazy!...
Tom,
I understand that people feel passionately about SQL issues, but your response seems a little over the top to me. It reads as if you're insulting Steve, not talking about the issue.
In the future, could you phrase your responses so they don't sound so much like personal attacks on the author and it sounds like you're actually participating in the discussion?
As it is, your entire string of entries come across as "If I shout loud enough, everyone will agree with me" and not as if you're inviting comments to your own posts. Which is unfortunate since you obviously have good information to share.
Thanks,
January 26, 2010 at 9:59 am
Brandie Tarvin (1/26/2010)
Tom.Thomson (1/25/2010)
This response is directly to the editorial - I haven't read any of the other comments yet..... If you think that, you are crazy!...
Tom,
I understand that people feel passionately about SQL issues, but your response seems a little over the top to me. It reads as if you're insulting Steve, not talking about the issue.
In the future, could you phrase your responses so they don't sound so much like personal attacks on the author and it sounds like you're actually participating in the discussion?
As it is, your entire string of entries come across as "If I shout loud enough, everyone will agree with me" and not as if you're inviting comments to your own posts. Which is unfortunate since you obviously have good information to share.
Thanks,
Hi Brandie
I guess if you had read the whole comment yoy would have reacted differently, as the final sentence makes it absolutely clear that I have great respect for Steve, indeed respect to such an extent that I find it worrying that I disagree with him on this topic.
Regards
Tom
January 26, 2010 at 10:32 am
I did read the whole comment. It's just that the first paragraph of any email or post sets the tone for the rest of it. Which means your final comment didn't make any impact at all other than "insert disclaimer here".
The reason I posted in the first place was because I know you have such respect for Steve and didn't mean for the post to sound that way. If I thought you were a flamer or a troll, I would have reported the post instead.
January 26, 2010 at 12:48 pm
Brandie Tarvin (1/26/2010)
I did read the whole comment. It's just that the first paragraph of any email or post sets the tone for the rest of it. Which means your final comment didn't make any impact at all other than "insert disclaimer here".
OK, fair comment - I do understand that the opening bit of the comment could be misunderstood - maybe I should use smileys more often, or maybe I should structure the thing more carefully (or maybe just not writing them at 1 am after a very long day would make me less prone to sound a bit wild).
Tom
Viewing 8 posts - 46 through 52 (of 52 total)
You must be logged in to reply to this topic. Login to reply