Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2005 Forums
 SQL Server Administration (2005)
 Secure Remote access to Prod. SQL Server

Author  Topic 

bobhansen
Starting Member

2 Posts
Posted - 2009-12-07 : 15:20:23
Hi,
I'm trying to create a secure way for an external user to access a production SQL server and have the functionality of query analyzer.
They need to run SELECT ONLY queries, NO UPDATES, from outside our company firewall. One idea is to make available in our DMZ using citrix a query analyzer tool that doesn't allow the user to enter the connection information, so automatically conecting to the sql server and database they need. I think auditing would sign off on this approach.

I have started my search for a SQL query tool or may have our dev group develope it, but thought I'd check and see if others know of a good tool.

Any other ideas on how to allow remote access, but have it be VERY VERY SECURE.

THANKS for you help!!

Bob

tkizer
Almighty SQL Goddess

38200 Posts
Posted - 2009-12-07 : 15:25:43
We use VPN to remotely connect. Just provide the permissions that you want the user to have and then the user won't be able to make data modifications.

Tara Kizer
Microsoft MVP for Windows Server System - SQL Server
http://weblogs.sqlteam.com/tarad/

Subscribe to my blog

"Let's begin with the premise that everything you've done up until this point is wrong."
Go to Top of Page

russell
Pyro-ma-ni-yak

5072 Posts
Posted - 2009-12-08 : 12:45:50
We use VPN and Citrix.

Either way, I'd only allow Windows Authentication. Then lock down the permissions as needed like Tara said. Adding user to db_datareader role will allow SELECT on all tables in database.

You should know that allowing SELECT on production tables to users may cause performance issues. We do not allow any users other than the DBA group on production servers at all.
Go to Top of Page

bobhansen
Starting Member

2 Posts
Posted - 2009-12-09 : 16:52:15
Thanks Tara and Russell for your replies!!

What we've come up with is: allowing the external user to connect to a citrix server in the DMZ, publish SQL Mgmnt Studio client for the user and then use the Firewall between the DMZ and our main domain to restrict access over port 1433 to only the SQL server they need.
Thus greatly limiting the danger of them connecting to other SQL serves in the main domain. The way they were originally setup they had a domain user account and would connect to Citrix with a published SQL Mngmnt Studio client. Security/Auditing didn't like this.... me either, they would be able to potentially connect to other SQL servers if they could guess user/passwords. This way can't login to the main domain and they should be restricted to only the one sql server.

THANKS AGAIN!
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site