[dba-SQLServer] Back to the login thing

Jim Lawrence (AccessD) accessd at shaw.ca
Wed Nov 24 00:16:02 CST 2004


Andrew:

Thanks a lot for those links. I have not read all detail but it looks like
the right addresses.

Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Haslett,
Andrew
Sent: Tuesday, November 23, 2004 5:52 PM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: RE: [dba-SQLServer] Back to the login thing


>From remote sites, you access just using that port, which obviously
requires
that port to be forwarded in your router.

For internal access, there's also a 'Client Network Utility' you can use to
set up an ALIAS to use a different port.

I think there are also issues with port 1434(UDP) from memory, but I can't
remember exactly what is involved.

Anyway I think that's what youre asking?  If not, keep firing away!

PS - The KB article is here if that helps:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;815146

Also, Top 10 tips to secure SQL
http://www.microsoft.com/sql/techinfo/administration/2000/security/securings
qlserver.asp

-----Original Message-----
From: Jim Lawrence (AccessD) [mailto:accessd at shaw.ca]
Sent: Wednesday, 24 November 2004 11:45 AM
To: dba-sqlserver at databaseadvisors.com
Subject: RE: [dba-SQLServer] Back to the login thing

Andrew:

...and how do you can the logging in to accommodate the new port
designation?

Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Haslett,
Andrew
Sent: Tuesday, November 23, 2004 2:29 PM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: RE: [dba-SQLServer] Back to the login thing


"Server Network Utility" - changes the port SQL listens on.

There's also a KB article on it.

-----Original Message-----
From: Jim Lawrence (AccessD) [mailto:accessd at shaw.ca]
Sent: Wednesday, 24 November 2004 4:12 AM
To: dba-sqlserver at databaseadvisors.com
Subject: RE: [dba-SQLServer] Back to the login thing

I concur.

When setting up authentication on a LAN it is very easy to create a group on
the LAN or on the SQL's server and then apply that group to your SQL
security. From then on security is a matter for the local system admin and
they can just adds or subtracts users from the group(s) as required and it
is straight forward to assign various sets of access rights;
viewer/user/data-entry/backup/admin.

But I do recommend that you create a back-door or two. Maybe add your user
name directly to the SQL security and leave SQL authentication available
with a very complex password. You hopefully will never have to use them but
there is time when they will be required. Like when some admin person
inadvertently turns off 'log-ins' or the domain server goes down etc..

There is other way to add to the security. I understand, though I have never
done it that you can change the default port (1433) to something else.
Francisco Tapia is a proponent of this method and you should check with him
on the deployment.

HTH
Jim

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com]On Behalf Of Haslett,
Andrew
Sent: Monday, November 22, 2004 9:07 PM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: RE: [dba-SQLServer] Back to the login thing


Fair enough.

However, despite what you've read, I wouldn't say SQL Authentication is
*insecure* - well, its definitely no worse than entering a username /
password on a website which I'm sure you do from time to time..

You still neet to get access *through firewall and NAT* to the network that
the server is on (which is currently your LAN) and *then* guess a username
and password for an account on SQL, which *then* must have the necessary
privileges to do any harm to the server.

And to be honest, if your LAN is compromised, odds are the administrator
account will be hacked anyway, giving the user access to the SQL server
whether you're using Windows or SQL authentication.

Anyway, I'm assuming that whatever the final product, its not going to
remain on your home LAN is it?  What I'm getting at, is that once its
finished, an entirely new security model will need to be implemeted on the
server that it will reside on, so its pretty much irrelevant as to how
you're accessing the database from EM at the moment.

Even if it is to remain on your LAN it takes only the click of a button to
switch off SQL Authentication..

Considering the trouble its caused you and the time lost trying to set up
Windows Auth, seems pretty pointless not to use SQL Authentication to get
the job done in the meantime...

-----Original Message-----
From: John W. Colby [mailto:jwcolby at colbyconsulting.com]
Sent: Friday, 19 November 2004 12:56 AM
To: dba-sqlserver at databaseadvisors.com
Subject: RE: [dba-SQLServer] Back to the login thing

Andrew,

While I am the only user of this db ATM, in the near future the owners of
the database expect to be able to use it in some undetermined manner.  I do
not know yet the "how" of the access - it will probably be a mix of web
server, remote access and / or vb.net application.  In any event I have read
(and as you are well aware I am totally ignorant on this stuff) that using
windows authentication is more secure.  I am therefore making every effort
to get this set up from the gitgo to do that so I don't have a "gaping
security hole" hanging out there forgotten.

John W. Colby
www.ColbyConsulting.com

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/

-----Original Message-----
From: dba-sqlserver-bounces at databaseadvisors.com
[mailto:dba-sqlserver-bounces at databaseadvisors.com] On Behalf Of Haslett,
Andrew
Sent: Wednesday, November 17, 2004 11:11 PM
To: 'dba-sqlserver at databaseadvisors.com'
Subject: RE: [dba-SQLServer] Back to the login thing


As we've suggested multiple times, why are you using Windows Only
Authentication?

If this is just an internal system, then there's no need.  Just set up some
accounts using SQL Authentication on the other boxes and connect to it using
this username and password.  Presto. You're done.

-----Original Message-----
From: John W. Colby [mailto:jwcolby at colbyconsulting.com]
Sent: Thursday, 18 November 2004 1:04 PM
To: dba-sqlserver at databaseadvisors.com
Subject: [dba-SQLServer] Back to the login thing

I really need to get query analyzer able to run on Neo2 SQL Server from all
of my workstations.  I have gone through the systems setting security on the
servers to Windows only / System Account.  EM is now able to see Neo2 Server
from all the workstations, and can in fact browse the tables, open the main
table and return records etc.

QA however fails at the login with a consistent "Login failed for user
'Neo2\Guest'".  Msg 18456, level 16, state1.  On Neo1, Neo2 and Soltek1 I am
logging in to Windows as Administrator with an identical password on each of
those three machines.  I can use QA on Neo2 but I cannot use QA on Neo1 or
Soltek1 against Neo2.

Can anyone help me figure this thing out?  I REALLY need to get all my
workstations banging queries against SQL Server on Neo2.

John W. Colby
www.ColbyConsulting.com

Contribute your unused CPU cycles to a good cause:
http://folding.stanford.edu/


_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** This email and any files
transmitted with it are confidential and may contain information protected
by law from disclosure.
If you have received this message in error, please notify the sender
immediately and delete this email from your system.
No warranty is given that this email or files, if attached to this email,
are free from computer viruses or other defects. They are provided on the
basis the user assumes all responsibility for loss, damage or consequence
resulting directly or indirectly from their use, whether caused by the
negligence of the sender or not.
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com




_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** This email and any files
transmitted with it are confidential and may contain information protected
by law from disclosure.
If you have received this message in error, please notify the sender
immediately and delete this email from your system.
No warranty is given that this email or files, if attached to this email,
are free from computer viruses or other defects. They are provided on the
basis the user assumes all responsibility for loss, damage or consequence
resulting directly or indirectly from their use, whether caused by the
negligence of the sender or not.
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ******************** This email and any files
transmitted with it are confidential and may contain information protected
by law from disclosure.
If you have received this message in error, please notify the sender
immediately and delete this email from your system.
No warranty is given that this email or files, if attached to this email,
are free from computer viruses or other defects. They are provided on the
basis the user assumes all responsibility for loss, damage or consequence
resulting directly or indirectly from their use, whether caused by the
negligence of the sender or not.
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com

IMPORTANT - PLEASE READ ********************
This email and any files transmitted with it are confidential and may
contain information protected by law from disclosure.
If you have received this message in error, please notify the sender
immediately and delete this email from your system.
No warranty is given that this email or files, if attached to this
email, are free from computer viruses or other defects. They
are provided on the basis the user assumes all responsibility for
loss, damage or consequence resulting directly or indirectly from
their use, whether caused by the negligence of the sender or not.
_______________________________________________
dba-SQLServer mailing list
dba-SQLServer at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-sqlserver
http://www.databaseadvisors.com




More information about the dba-SQLServer mailing list