Good morning,
We are having a debate here about development. We in
programming would like to create a generic user account
for example TransDev and have the users use that to create
an ODBC connection to the database versus having it
reference a person. The network admin group says that's a
horrible thing to request. I didn't find such an instance
on your website which answered a lot of my other
questions. Does anyone have a perspective from a security
standpoint where such a request would be a bad thing?
Thanks in advance.
Laura Mayer
Database Analyst
C&S Wholesale Grocers
802-257-6855first, if everyone is using the same id, it's much more difficult to
tell who screwed something up. also much easier for that login and
password to fall into the wrong hands.
since your network admins seem to hate your idea, force them to do some
work (if they run your authentication servers). have them create an
ntgroup and add all the users that need access to the db. then you give
the ntgroup the permissions it needs in the db. then when someone new
needs access to the db or someone leaves, the network admins will have
to go change the ntgroup and you won't have to do anything.
Laura wrote:
> Good morning,
> We are having a debate here about development. We in
> programming would like to create a generic user account
> for example TransDev and have the users use that to create
> an ODBC connection to the database versus having it
> reference a person. The network admin group says that's a
> horrible thing to request. I didn't find such an instance
> on your website which answered a lot of my other
> questions. Does anyone have a perspective from a security
> standpoint where such a request would be a bad thing?
> Thanks in advance.
> Laura Mayer
> Database Analyst
> C&S Wholesale Grocers
> 802-257-6855|||Thanks for that. What do you think about the ODBC
connection? Currently we are setting up the connection
using a persons name with the appropriate connections. I
would like to have a generic account. Could I have them
create that and put it in the group? Would that be an
appropriate middle ground?
Thanks
Laura
>--Original Message--
>first, if everyone is using the same id, it's much more
difficult to
>tell who screwed something up. also much easier for that
login and
>password to fall into the wrong hands.
>since your network admins seem to hate your idea, force
them to do some
>work (if they run your authentication servers). have
them create an
>ntgroup and add all the users that need access to the
db. then you give
>the ntgroup the permissions it needs in the db. then
when someone new
>needs access to the db or someone leaves, the network
admins will have
>to go change the ntgroup and you won't have to do
anything.
>
>Laura wrote:
>
create
a
instance
security
>.
>|||not really. you would put the ntusers into the ntgroup. then when
setting up the odbc, you'd choose windows authentication instead of
sqlserver authentication.
for example, you have users joe and john both members of domain1.
you create a group in domain1 called sqlgrp.
add domain1\joe and domain1\john to domain1\sqlgrp.
assign db permissions to domain1\sqlgrp.
set up odbc to use windows authentication.
that way there are no additional passwords to manage, only one set of db
permissions to manage, greater security with windows accounts versus
sqlserver accounts.
Laura wrote:
> Thanks for that. What do you think about the ODBC
> connection? Currently we are setting up the connection
> using a persons name with the appropriate connections. I
> would like to have a generic account. Could I have them
> create that and put it in the group? Would that be an
> appropriate middle ground?
> Thanks
> Laura
> difficult to
> login and
> them to do some
> them create an
> db. then you give
> when someone new
> admins will have
> anything.
> create
> a
> instance
> security|||Adding to the comments of 'ch', from your ODBC connection string you can use
the:
Trusted_Connection=yes;
option to force the authentication to be "trusted". Stay away from generic
access accounts they can not be monitored, creating a huge security hole
(IMO).
Steve
"Laura" <anonymous@.discussions.microsoft.com> wrote in message
news:bb1501c40834$75b42b80$a501280a@.phx.gbl...
> Thanks for that. What do you think about the ODBC
> connection? Currently we are setting up the connection
> using a persons name with the appropriate connections. I
> would like to have a generic account. Could I have them
> create that and put it in the group? Would that be an
> appropriate middle ground?
> Thanks
> Laura
> difficult to
> login and
> them to do some
> them create an
> db. then you give
> when someone new
> admins will have
> anything.
> create
> a
> instance
> security
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment