tags:

views:

114

answers:

3
+1  Q: 

Locking SQL Server to a specific application on a web server

I'm curious, is there a way to tell the SQL Server that a specific group has access to the database only from a single location/application. I have an SQL Server and a Web Server. Our applications use stored procedures and access for each stored procedure is based on the role that is allowed to access it. Then user groups are assigned roles based on the functions they'll preform. As an added layer of security I would like to specify the web application that these users can access the database from.

I suppose this is overkill. The stored procedure names are hidden from users at all times (all errors are hidden, with generic "sorry this isn't working" displayed to the user). Users only have access to the stored procedures they are allowed to execute. It would just be a nice additional piece of security so should a table accidentally grant everyone full access, the database would only allow full access from one location.

A: 

I suggest run the application/app pool as a service account which has permission on the procedures, but don't grant any permissions to the users themselves. This entails not implementing user security at the database level, but instead at the app level..

ScottK  2008-11-17 15:37:06
The only problem with this is varying the levels of access for a application. Many applications have both an administrator level and a basic user level. To have varying levels this method would need X pools and X applications for X levels.
DrSpeedo  2008-11-17 18:13:24
A: 

In the connection string, you can set Application Name=MyAppName - this is not real security, but you can check this in your SPs (sysprocesses - in the program_name column) and through sp_who.

There's nothing you can do about tables - which is why I recommend that nobody be in any role which is allowed access to tables at all (SELECT, INSERT, UPDATE, or DELETE).

You can audit this on a regular basis with some automated T-SQL to ensure that no one has done anything stupid.

I'm not advocating this in any way, but you can do something like this for views (comparing the SPID of the current process and program_name):

CREATE VIEW YourViewNameHere
AS
SELECT *
FROM YourTableNameHere
WHERE EXISTS (
    SELECT spid, program_name
    FROM sys.sysprocesses
    WHERE program_name = 'YourProgramNameHere'
     AND spid = @@SPID
)
Cade Roux  2008-11-17 15:45:07
What about with View's? This question stems from the idea of using Linq to Sql and rather than having separate stored procedures for each level of access implement views which enforce the access for each table and are used by the Linq to SQL.
DrSpeedo  2008-11-17 18:15:51
I'll update my answwer for view craziness
Cade Roux  2008-11-17 18:30:50
A: 

The easiest way is to just lock it down on the user-level. You can run your win/web application under a specific security context that you have the needed rights configured for.

This gives the benefit of forcing users to run your app to interact with SQL and can't just open Enterprise Manager or whatever.

Kevin Fairchild  2008-11-17 17:03:44

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?