I have been asked to develop some security software that includes detection
of what ODBC connections to SQL Server databases exist. I think that it is
not useful, at least for security purposes, to determine what ODBC
connections exist for a database. Am I wrong?
One reason it is not useful is that a connection can be created dynamicly
anytime. I know that, since I do it. The person asking for this project is
not familiar with such things but I have already explained this much to him.
I don't know about SQL Server security enough to be sure, but it is my
understanding that it has it's own security that is much more effective than
attempts to prevent access by limiting ODBC connections.
I am not asking what other solutions exist; if I am correct in what I say
here, then I will pursue the other solutions myself and when necessary in
another thread.>I have been asked to develop some security software that includes detection
>of what ODBC connections to SQL Server databases exist. I think that it is
>not useful, at least for security purposes, to determine what ODBC
>connections exist for a database. Am I wrong?
You are correct. The person requesting this may not be familiar with SQL
Server data access architecture and now it relates to security. ODBC is
just one data access API of many. There are also others, such as OLE DB,
SQL Native Client. It does not makes sense to me that one would care, at
least from a security perspective, which API is used to connect to SQL
Server. All APIs can access SQL Server without a pre-configured DSN.
> I don't know about SQL Server security enough to be sure, but it is my
> understanding that it has it's own security that is much more effective
> than attempts to prevent access by limiting ODBC connections.
Absolutely. SQL Server security is the primary place security needs to be
implemented. Logins, database users and object permissions all provide
various levels of security. Given a login with appropriate permissions, one
could write a simple VBScript using Notepad to access and manipulate
database data.
Hope this helps.
Dan Guzman
SQL Server MVP
"Sam Hobbs" <samuel@.social.rr.com_change_social_to_socal> wrote in message
news:%23GT8ACP%23FHA.3340@.TK2MSFTNGP12.phx.gbl...
>I have been asked to develop some security software that includes detection
>of what ODBC connections to SQL Server databases exist. I think that it is
>not useful, at least for security purposes, to determine what ODBC
>connections exist for a database. Am I wrong?
> One reason it is not useful is that a connection can be created dynamicly
> anytime. I know that, since I do it. The person asking for this project is
> not familiar with such things but I have already explained this much to
> him.
> I don't know about SQL Server security enough to be sure, but it is my
> understanding that it has it's own security that is much more effective
> than attempts to prevent access by limiting ODBC connections.
> I am not asking what other solutions exist; if I am correct in what I say
> here, then I will pursue the other solutions myself and when necessary in
> another thread.
>|||Yes, Dan, that definitely helps; thank you.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Monday, March 26, 2012
Wednesday, March 21, 2012
ODBC -Connection failed
I create a Test database in SQL server, also I add new user in security folder. Also I add this user in Test database, the permission are: Public, and db_owner. But when I let the user try to open the database, it is ODBC Connection failed. I add another user a few months ago, she works fine. But the new user I added in didnt work, did you know why. I am sure I add the same permission as the later user. Thanks.Even though you added the user at the database level and gave it the different access roles (public and db_owner) - make sure you gave the user Database Access to from the Security/Logins dialog box. On the 3rd tab (Database Access) make sure the Test database is checked.
That might be your problem.
Alex|||Alex, it's impossible to have the user be enrolled into db_owner while not having the user to have a Database Access. Something else is fishy/not clear...
That might be your problem.
Alex|||Alex, it's impossible to have the user be enrolled into db_owner while not having the user to have a Database Access. Something else is fishy/not clear...
Monday, March 19, 2012
ODBC and SQL Security
Hi,
What is the best practice for authentication to Win2003 Server with SQL
Server 2000 database? For example, an Access 2003 application that would us
e
a ODBC pass-through query to connect and select (read only) data from the
SQL Server database. Would prefer to hard code the username and password
using VBA as this is a reporting app only. We are using a Novell network on
servers where Access app is installed. Usernames are only unique within the
contexts on multiple Novell servers.Bonnie
http://vyaskn.tripod.com/ sql_serve...r />
.htm#Step1
--administaiting
best practices
http://vyaskn.tripod.com/sql_server...t_practices.htm --secu
rity
best practices
"Bonnie" <Bonnie@.discussions.microsoft.com> wrote in message
news:1A495F95-D112-4364-A11B-F1FDC24D93C4@.microsoft.com...
> Hi,
> What is the best practice for authentication to Win2003 Server with SQL
> Server 2000 database? For example, an Access 2003 application that would
use
> a ODBC pass-through query to connect and select (read only) data from the
> SQL Server database. Would prefer to hard code the username and password
> using VBA as this is a reporting app only. We are using a Novell network
on
> servers where Access app is installed. Usernames are only unique within
the
> contexts on multiple Novell servers.
What is the best practice for authentication to Win2003 Server with SQL
Server 2000 database? For example, an Access 2003 application that would us
e
a ODBC pass-through query to connect and select (read only) data from the
SQL Server database. Would prefer to hard code the username and password
using VBA as this is a reporting app only. We are using a Novell network on
servers where Access app is installed. Usernames are only unique within the
contexts on multiple Novell servers.Bonnie
http://vyaskn.tripod.com/ sql_serve...r />
.htm#Step1
--administaiting
best practices
http://vyaskn.tripod.com/sql_server...t_practices.htm --secu
rity
best practices
"Bonnie" <Bonnie@.discussions.microsoft.com> wrote in message
news:1A495F95-D112-4364-A11B-F1FDC24D93C4@.microsoft.com...
> Hi,
> What is the best practice for authentication to Win2003 Server with SQL
> Server 2000 database? For example, an Access 2003 application that would
use
> a ODBC pass-through query to connect and select (read only) data from the
> SQL Server database. Would prefer to hard code the username and password
> using VBA as this is a reporting app only. We are using a Novell network
on
> servers where Access app is installed. Usernames are only unique within
the
> contexts on multiple Novell servers.
Subscribe to:
Posts (Atom)