Is there anyway to protect access to SQL server installation ?
I mean I want that only a single user will be able to access the database and no one else , not even by Windows Authentication.
I want to do this because I dont want anyone to look into the database and see the details of the database.
What I did was install it normally and delete all logins in security except the user sa.
Related
I have two databases on the same SQL server. One for an ERP database that I am able to read tables and one I created in MS Access. A store procedure on the MSAccess database is updating some tables from the ERP DB. The MS Access DB from here on is independently running.
When I installed on other computers, the Access Database is giving me a connection error when I am logged in as another user than myself.
- Are permissions from the ERP database affecting me in my Access Database? Should I worry about them?
- Is Windows Authentication enough to make the connection happen?
- Do I need to Map the users over from the ERP database?? if so, how do I do it?
- Can I grant every user on the Server permission to access my tables using Windows Authentication? do I need to go down this road? How do I do it?
I am just not too sure what to do from here on. Here is some more information about the issue.
-In my database I have a ODBC stringconnection that looks like this:
Driver={SQL Server Native Client 11.0};Server=SERVER;Database=DATABASENAME;Trusted_Connection=yes;
-I am packaging an exe file using SSESETUP which is awesome.
-I am installing on the new computer and able to launch when I am logged on as myself however, I am getting a connection error when I am logged in as another user on the same computer. (Note: I am not able to debug from here on and see the vba because I am running under Access runtime 2013 only.)
I would appreciate if someone can assist me in narrowing my search for a solution.
Bottom line, it sounds like you need to set up database permissions on your SQL Server for each Windows account that will be using your Access db.
Here are specific answers to your questions:
Are permissions from the ERP database affecting me in my Access
Database
Yes, of course they are. Regardless of how you connect to the database the permissions will always be in effect.
Should I worry about them?
Yes, of course you should. Otherwise you won't be able to work with the data.
Is Windows Authentication enough to make the connection happen?
To make the connection, yes. SQL Server supports Windows authentication in both security modes (Windows only and mixed mode). But, this is just the connection. You also need to take the database permissions into consideration. Your Windows login needs to be granted the appropriate permissions within the specific database in order to do anything.
Do I need to Map the users over from the ERP database?
Map to what? Access? Based on the connection string in your question you're using Windows authentication to connect Access to SQL Server, so Access will connect to SQL Server under the security context of whoever is running Access. So the SQL Server permissions will need to be configured for each user who will be running your Access db.
Can I grant every user on the Server permission to access my tables
using Windows Authentication?
Access to the SQL Server tables? Sure, you could. But you should limit it to only the necessary permissions. Granting access for everyone is likely overkill and not best practice.
I am using Access as a front end database to connect to SQL Server data. On my computer, it works just fine. On a user computer, it doesn't work. Has anyone successfully done this without creating a DSN on each computer?
Thanks,
Jeff
You will need to make sure what ever user is trying to connect to the DB has rights in SQL Server to view it. Access won't just remove the security needed to view it. You could create a DB role then put everyone needing to get into that DB into the role and grant that role access. You could also get an AD group created for anyone that needs to view the table and get people added to that group then grant that group access.
You can connect using an ODBC connection with saved credentials to trick the sql server into thinking the user is someone else. However, i would only do this and provide read only access. Then, you can revoke access to that username whenever and the whole system stops. Easy to do., just build an ODBC connection and save the username and password in it.
I created one, but for some reason, I can't either log into it from ssms, either from my computer or another one on the same network.
Will appreciate some help!
If the user you added is a SQL Server User, make sure that the Server instance has been configured to allow SQL Server Authentication. Depending on the Instance installation, it might be set to Windows Authentication Mode, in which case it'll only accept Windows Auth. SQL Users with username and password won't be able to log in.
I have a .NET application which connects to SQL Server 2008 for storing some data. I use SQL Server authenthication providing an sq username and a password to my end-user in app.config file. If something more needs to be changed I give to the end-user some other credentials.
How can I limit the sql user to only have permission to read/write data and executing existing stored procedures and everything else to be forbidden?
What is the best practice for setting permisions for a sql user that an application is using to connect to a database? Can I prevent somehow the user from logging in Management Studio and mess with my data?
I'm not searching for the perfect 100% reliable solution, but the best existing practice to do this. Thank you very much in advance.
Update: I work on a shared hosting SQL Server environment.
You'll need to create a new SQL user, something like 'LimitedUser'. To do this in SSMS, select the Security Folder of the server you are using, right-click, select New, select Login.
Select your authentication type (SQL server authentication is easily managed), and set the Default database to your database.
You'll need to set Server Roles so this new user only maps to your DB, and in the last page (Status), set Login to false so they cannot use these credentials to login to SSMS and 'mess with your data'.
Click OK, and you're done creating your limited user.
Assign it to your database, and then in SSMS, right-click on your db, select Properties, Permissions.
Select your user or role, and in the permission grid below, switch on only what need to be switched on.
As I see, your question is fully concerned with SQL server security.
You can limit user permissions on server, database or object scope, using GRANT statement, server or database roles. For example, you can assign db_datareader role for user, and then grant EXECUTE permission to this user for some stored procedures (or for entire database).
The current practice in my organization is to create the database roles (e.g. application admin, operator, and so on), adding the appropriate permissions to these roles and then assign these roles to database users.
I'm not completelly sure that you can prevent login into SQL Server Managent studio (SSMS), but SSMS wll not display information that must be invisible for user with user current permissions.
Shared SQL Server hosting where a single instance is shared among multiple customers is not compatible with with typical client-server applications. You are expected to perform all operations through a middle tier server such a WCF Data Service and maintain user accounts within your database in a table with Forms Authentication etc.
For your client-server application you need VPS hosting with your own instance of SQL server where you can create server-level logins. Without creating server-level logins there is no method to secure a client-server application. Any workarounds are just pseudo-security.
I am a beginner in database field and this question might sound too stupid but I want to know why there is a login called sa and can I delete it?
I want to delete it because it seems to have pretty serious privileges on database server!
If it matters, I am using SQL Server Express 2008.
You can't remove the sa account but you can rename and/or disable it. Arguably this is good practice as otherwise you have a known username that an attacker could launch a brute force password attack against.
Just make sure if you disable the sa account that you have another account with administrator privileges.
sa is the admin account! do not delete it, give it a strong password that you provide to no one except the database admin and a backup person.
sa is the main administrator account, it was the owner of master database (holding data for user roles,schema,etc), so it can't be deleted.
just change the password (and i think it was asked in installation progress) and create guest/public account with more restrictive privileges for use with your application a.k.a don't use sa in your application (application you develop)
Also, dependent on your environment you can just turn off SQL Server Authentication whatsoever.
There are two types of authentication supported by SQL Server - Windows Authentication and SQL Authentication - you can have both or one of them active. If you switch off SQL Authentication then only valid Windows (as defined in the system) users will be able to use the server (normal permissions still apply, so each account has to be added to SQL Server as well, the fact that somebody has an account in the system doesn't mean they can access the SQL Server instance).
You can configure this in the server settings from the Management Studio.
Never do it . To understand more appropiately please refer http://blog.sqlauthority.com/2008/12/24/sql-server-disable-and-enable-user-sa/