Please start any new threads on our new site at https://forums.sqlteam.com. We've got lots of great SQL Server experts to answer whatever question you can come up with.

 All Forums
 SQL Server 2000 Forums
 SQL Server Development (2000)
 Sql Server Authentication vs Custom Authentication

Author  Topic 

t1g312
Posting Yak Master

148 Posts
Posted - 2004-08-03 : 04:04:13
Hi all,

Which of the two would be a better idea - a) authentication using Sql Server or b) Create a table with username pwd etc and write a custom authentication module.

Thanks!

Adi

-------------------------
/me sux @sql server

JasonGoff
Posting Yak Master

158 Posts
Posted - 2004-08-03 : 04:27:30
Why re-invent the wheel ?
The only reason I can think of doing (b) is if you want custom security in your application, but even this can be achieved by judicious use of NT Authentication, database roles and IS_MEMBER().
Go to Top of Page

t1g312
Posting Yak Master

148 Posts
Posted - 2004-08-03 : 06:48:06
What I am worried about is that users can use Sql Query Analyzer and make changes directly without going through the program.

Adi

-------------------------
/me sux @sql server
Go to Top of Page

JasonGoff
Posting Yak Master

158 Posts
Posted - 2004-08-03 : 07:07:45
Revoke all permissions to SELECT, UPDATE, INSERT, DELETE from your tables.
Make all changes via stored procedures and give your users EXECUTE permissions on these.
That stops them hacking data via SQL, Access, or any other method.
Don't install SQL Client onto your user's PCs
Go to Top of Page

derrickleggett
Pointy Haired Yak DBA

4184 Posts
Posted - 2004-08-03 : 07:47:46
I would say the best security models usually involve a combination of NT Security and application security, which would end up being driven by tables.

The NT Security lets the application user only EXEC procs necessary for the application (in .NET you can even restrict that further by having contexts). The application further restricts access by giving only pieces of those EXEC rights to people based on User roles. There doesn't need to be rights given directly to tables anywhere (99% rule).

Generally speaking, the more levels of limiting control that exist, the harder it is to destroy or access a system improperly. Each level also gives you an invaluable item called time to defend the system.

MeanOldDBA
derrickleggett@hotmail.com

When life gives you a lemon, fire the DBA.
Go to Top of Page
   

Subscribe to SQLTeam.com

SQLTeam.com Articles via RSS

SQLTeam.com Weblog via RSS

- Advertisement -

Resources

Articles

Forums

Blogs

Contact Us

About the Site