December 11, 2007 at 3:44 pm
Hi,
I'm an oracle dba that has been tasked with working on a sqlserver project.
Please excuse my lack of knowledge here, the question may sound simple.
The developers have set up a web site that allows access onto the sqlserver database. Users can create new rows in tables, and view existing rows.
The problem I have, is that I have created the database, and the IIS set up seems to default and log on as SA. This means that if anyone manages to hack the website, they can destroy the database.
What I need is some sort of role setting up, with read and update privileges, but no DROP privileges or SA admin privileges.
How do I go about this, and how do I get IIS to log on as this role?
Many thanks for your invaluable help.
December 11, 2007 at 9:10 pm
You need to find out how the application connects to the SQL database. IIS does not connect to the database tier, the application does. Chances are that the development team is using a connection to the server via the SA account.
You should have the dev. team use a sql or windows login with restricted rights via the connection string.
December 13, 2007 at 2:01 am
Agree with above. The web site will simply use a connect string, specifying destination server, database, account and password. Most likely, it'll be held in the global.asa file, but not always. Personally, I'd set up a new account with the rights you'd like it to have, then force the issue by changing the SA password.
As for more general "how do you do it" questions, though, I've found an invaluable resource (being in a similar position to you, having started from the Oracle side) is SQL Server for the Oracle DBA - an ebook written by Chris Kempster. You can get it from his web site (http://www.chriskempster.com/). That said, there are plenty of others like us with good grounding in Oracle here on this site, so you shouldn't have too many problems getting answers to any specific questions you come up with.
Semper in excretia, sumus solum profundum variat
December 13, 2007 at 3:34 am
Thanks guys, I'm gonna have a play with this and get back to you soon
December 14, 2007 at 7:49 am
Hi guys,
Can anybody point me to a good link to Books on Line, which might give me a clue how to do this.
Many thanks
December 14, 2007 at 8:05 am
What programming language is the web developed in ASP.NET? The developers have to connect to the database via a connection string. For .NET applications the connection information is found int he web.config file. This file can be found in the root of the application.
I would create a sql login with the restricted rights and tell the developers to use this login for their database connection.
December 14, 2007 at 8:08 am
The developers have to make the change. You do not, unless you are also developing the application. Have them change the config file to connect using the login you want them to use.
Viewing 7 posts - 1 through 6 (of 6 total)
You must be logged in to reply to this topic. Login to reply