October 31, 2002 at 3:00 am
Hi All,
Having just started a new role in a company I've got a simple problem (for you guys) which is driving me crazy.
Scenario
~~~~~~~~
One SQL 2000 server, several databases on a web server which is hosted by us in DMZ zone of firewall. The server is not joined to our domain (obviously) and I am having problems when users on the domain are trying to connect to tables within these databases. They get prompted for a username and password to connect, and up until recently have been using the sa account without a password (an unsecure setup which I have now resolved). However users are now being asked for a username and password and without giving out the SA password, how do I allow them to connect.
The solution I've come up with so far is to setup the ODBC on the users computer to use windows authentication, however this means that I need to setup the user on the web server and in the database with respective privilages on the necessary SQL tables. This works fine for 2 weeks until the user has to change their login password on the domain (security policy) at which point I then have to manually update the web server with the new passwords.
The second option I've been looking at is to specify a username and password in the ODBC that is a user on the web server and SQL user databases, however the ODBC seems to forget the details and the user gets prompted again ..
Any Ideas
October 31, 2002 at 8:36 am
You might consider creating a separate domain for your DMZ, and then creating a one-way trust between your DMZ's domain and your domain, with your DMZ's domain trusting your domain. That way, user's authenticated on your domain will be recognized in you DMZ's domain, but systems, users (or intruders) on your DMZ's domain won't be trusted on your domain.
Matthew Burr
October 31, 2002 at 9:29 am
Hi Matthew, thanks for that.. But in opening up ports between my DMZ and main domain would I not be encouraging any security risks..
In other words are there any other ways of setting this up..
October 31, 2002 at 11:04 am
I won't claim to be an expert on DMZs, but it seems to me that ports exist between your DMZ and your main domain anyway at a TCP level. I suppose that - from a certain standpoint - you're coupling your main domain and your DMZ more closely if you create a trust relationship between the two. You're limiting that relationship by making it one way, but you're also placing more faith in Microsoft's OS and its networking that it will have the necessary security to ensure the security really is one way.
As an alternative to this solution, you could consider allowing mixed mode authentication on your SQL Servers, which would allow you to create SQL Server logins, besides "sa", that your users could use to connect to the SQL Server using a user-name and password. This would allow you to maintain the DMZ and allow your users to maintain their own passwords. It should also alleviate you of the need to employ the workaround that you are currently using.
Matthew Burr
October 31, 2002 at 11:31 am
Windows Auth won't transit most firewalls if they are setup securely. Windows Auth requires the NetBIOS ports.
Either use SQLAuth or setup a VPN like tunnel from your DMZ to the network and give the users access as Windows Auth users.
Steve Jones
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply