March 21, 2012 at 11:58 am
We have an application that uses windows groups for security in SQL 2008. The windows groups are assigned the roles of datareader and datawriter. The application controls what data users can update/delete. Is it possible for the users in the windows groups to connect to the SQL tables via ODBC and update/delete data - i.e. bypass the application to update to the data? Thanks.
March 21, 2012 at 12:04 pm
Should be possible. All they'd have to do is download a free copy of Management Studio Express, and connect to the server using Windows authentication.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
March 22, 2012 at 2:49 am
+1 on what GSquared said.
One way to stop such a thing would be to limit the application to one user and then give it a really complex password. You would lose auditing, but you could make a modifcation to the app to grab the username of the logged on machine and store it at the app level and pass that in for any auditing you may do which logs the username.
March 22, 2012 at 7:27 am
Thank you both for your replies.
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply