Security Issues

[quisar]

Dear All,

Our application uses "sa" user to login to SQL Server Database. The password of this user is present in the registry. If any user get to know the password, they can easily login to out database, take backup of it etc.
How can this be prevented?

Regards,

 

[x002548]

Don't use sa

RUDY!!!!!!!

 

[DrSql]

Normal process create a SQL account with a dbo access to the db should not be a part of sysadmin group. This will give full access to the db, but not to any other servers. If they need to use any system procedures just give permissions to that sp's. hope this help you out. If you need any deatil clarificatiosn let me know.

Dr.Sql
Good Luck.

 

[mrdenny]

No one should ever use the sa account for anything. Especially for an application to use.

Applications should have there own accounts or each user should have there own account. These accounts should have the least amount of rights and still be able to work.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[yelworcm]

I would go one better. Unless the application needs to be creating database objects (tables, views, indexes, or procedures) on the fly, then the application user should just have rights to modify data and run individual stored procedures. But that is just me.

 

[mrdenny]

In a truly secure database and applciation shouldn't have access to any of the data. Only to stored procedures. If the app needs to see data a stored procedure is run which returns the needed data to the application. Same with updates and inserts.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com