SQL Server Login role for remote database manipulation
https://stackoverflow.com/questions/7534654
-
26-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My scenarion is MVC Blog (funnelweb) installed on a server named WEB. The SQL Server 2005 runs on DB. FunnelWeb site requires access to its own database. I have create a new database using SQL Server Management Studio and had named it FunnelWeb. I want to use SQL authentication, so I went ahead and created a SQL login FunnelWebAdmin. In the login mappings I have mapped FunnelWebAdmin to FunnelWeb database, and have granted him a dbowner permission on a db. I have not granted a login any server roles.
SQL Authentication is enabled for the server.
My question is:
Do I need to grant this login any server roles, so that the web site can connect to a database using SQL authentication? If yes, which are the minimum one's in order for site to be able to manipulate database.
Solution
Unless I'm missing something setting that user in the role DBAdmin will give it the right to login. It will give it full rights and control over the database.
Be sure you lock down that web application. Giving admin rights to a DB from a web app is dangerous at best. It leaves you open to SQL injection, which can open the door to all sorts of issues. A good attacker (or a mediocre one with access to google) can exploit an SQL Injection attack and gain full control over the operating system if the server isn't locked down properly. http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf
Even if they can't get control over the OS, you still need to worry about data theft, insertion of XSS or XSRF scripts, or any number of attacks.
I'm not saying not to do it, just to be careful and be sure you know what you're doing. Getting access to a database via a web app is childs play if there are any vulnerabilities. There are toolkits that you can buy that do it for you, so attackers don't even need to know what they're doing.
I really have no idea what your experience level is, so forgive me if I'm telling you something you already know. Your question indicates that you're more on the "beginner" end of the spectrum, but I may be wrong.
Assuming I'm right, however, I would really caution you to spend a lot of time on these sites,learning everything you can. They don't teach this stuff adequately in school, or in the "Learning programming" resources (books, web, videos, etc).
Writing Secure Code (Microsoft)
Even if the website itself is not Internet accessible (say it's running on a corporate Intranet and only logged in users have access) you still need to be cautious. Statistics show that disgruntled co-workers with access are just as much of a threat as outside attackers. Just something to bear in mind.
