Setting Sql server security rights for multiple situations

Question

We have an application which uses an instance of Sql Server locally for its backend storage. The administrator windows login has had its sysadmin right revoked, and instead two sql logins have been created; one for the application with a secret password and one read only login we let users view the raw data with.

This was working fine until we moved on FileStreams, which requires intergrated windows authentication. So now the sql server logins must be replaced.

As a result, I am now reviewing all of our logins but I am not sure how it is possible. It seems that the application needs full read/write access, yet I still need to lock down writing to the tables so the user cannot login into the database and delete data randomly. Does anyone have any tips for setting multiple levels of security using intergrated windows logins, or can you direct me to any further reading?

Some answers can also be found on serverfault: http://serverfault.com/questions/138763/setting-sql-server-security-rights-for-multiple-situations

Answer 1

You can grant data read rights to the windows login your users will use (ie. the actual user, a group, or a built-in group like Users or Everyone). Your application can use an approle with a 'secret' password, and grant the necessary write rights to this approle. Your app logs in as the windows user, but then it impersonates the approle. See Application Roles.

Some notes:

• An administrator can always gain access. All it need to do is follow the KB 937682 step-by-step: How to add a Windows user to the sysadmin fixed server role in SQL Server 2005 as a failure recovery mechanism
• You can never embed 'secrets' in an application. You can at best obfuscate them, but any secret buried in code or in config can be found.