Hello, I have a sql server 2000 production database that will need to have
multiple web sites insert contact information into a table. I plan to
create a new sql user and only give it permission to execute one stored
procedure (that will do the insert row into the contact table).
Then I will provide to any outside vendor the SQL Server name, database,
user id, password and stored procedure(and input parameters) name. What are
the security concerns with this?
Would it make any sense to create a database with only this table in it, or
is this just overkill. I see that when I assign a new user to just one
database and one stored procedure that they can see the master database. Is
this an issue? Should I give the user
db_denydatareader on the master database?
Thanks
DonDon (dons100@.ameritech.net) writes:
> Hello, I have a sql server 2000 production database that will need to have
> multiple web sites insert contact information into a table. I plan to
> create a new sql user and only give it permission to execute one stored
> procedure (that will do the insert row into the contact table).
> Then I will provide to any outside vendor the SQL Server name, database,
> user id, password and stored procedure(and input parameters) name. What
> are the security concerns with this?
> Would it make any sense to create a database with only this table in it,
> or is this just overkill. I see that when I assign a new user to just
> one database and one stored procedure that they can see the master
> database. Is this an issue? Should I give the user db_denydatareader
> on the master database?
I would rather not expose an SQL Server on the Internet at all, least of
all SQL 2000. SQL 2000 no protection against brute-force attacks whatsoever.
Even if you have a really strong password for sa, someone might be able to
crack it. The server would also be open for denial-of-service attacks.
I think you should better implement some sort of web service. Not
necessarily with XML. But something that listens on a TCP/IP port, possibly
authenticates the user, and then connects to SQL Server with this low-
priv user you described. Username and password would be hard-coded into
this service, or read from a file.
Erland Sommarskog, SQL Server MVP, esquel@.sommarskog.se
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/pr...oads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodin...ions/books.mspx
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment