Permanently prevent query analyzer from accessing particular database

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Archive: Security Creating a SQL Server user authentication schema Could a join of encrypted SQL Server data have a problem? SQL Server connection lost when SA password is changed How to set SQL Server password for SA login Creating a login in SQL Server 2000 Enterprise Manager Code to connect SQL Server 7.0 to Visual Basic 6.0 Set SQL Server password on database in version 7.0 Solve SQL Server permissions and authentication problems Create username and password for new SQL Server database Recover password in SQL Server 2000 SQL Server Security Password cracking tools for SQL Server Meet compliance requirements with improved database security practices Hardening the network and OS for SQL Server security Securing the server and database in SQL Server SQL Server security made simple and sensible Blog: Protect your databases from the internal threat Setting up SQL Server Service Broker for secure communication The keys to database backup protection for SQL Server Understanding transparent data encryption in SQL Server 2008 The fine line between not encrypting your databases and breach notification SQL Server Database Modeling and Design Optimizing SQL Server indexes –- even when they're not your indexes Top tips and tricks for SQL Server database development Managing the development lifecycle with Visual Studio Team System 2008 A first look at Visual Studio Team System 2008 Database Edition Testing transaction log autogrowth behavior in SQL Server Top 10 SQL Server Tips of 2008 Tutorial: SQL Server indexing tips to improve performance Tutorial: Learn SQL Server basics from A-Z SQL Server database design disasters: How it all starts Can you shrink your SQL Server database to death?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data corruption  (SearchSQLServer.com) data hiding  (SearchSQLServer.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

VIEW MEMBER FEEDBACK TO THIS ASK THE EXPERT Q&A.

Query Analyzer is only a vehicle for executing queries, it does not by itself grant access to data. Conversely, it does not restrict access to data. The access to your data is defined by the user account (or role, more specifically) used with Query Analyzer (or Enterprise Manager or OSQL.exe).

If your intention is to prevent your USERS from having direct access to your data (via Query Analyzer, Enterprise Manager, or OSQL, etc.), you must make sure to restrict their access using user accounts. If, as I suspect, they are all using the "SA" password, that is your first area of improvement--create user accounts for all of them (or save time and use Windows authentication).

I think what the developer was trying to ask was this: If you setup security groups that allow a user access to a database, whether it be read or read/write to the data itself, can you also restrict how the user access the data? This developer would like the user to access data via his program.
—Joseph D.

******************************************

No. If a user has been granted access to a table using proper SQL credentials, SQL will not enforce by which method the user can connect to that data. You could, in theory, create some triggers that would launch upon each SELECT statement that would check to see which sysprocesses::program_name the user was employing to get to the data. If they're using Enterprise Manager or Query Analyzer you could boot them out or refuse to run the query. That, however, would be a pretty big performance hit.

You could also put a "CHECK" constraint for certain tables (such as CHECK APP_NAME()='MySpecialApp.exe') but you would also see a performance hit. If it is of supreme importance that users only use your program to get to the data I would encrypt the data and have your program perform the decryption.
— Steven Andres, Security Expert

******************************************

Another option for the developer would be using Application Roles and Application Passwords. If the application uses a very restricted user account or role to initially connect to the database and then issues an application password that grants the application all the rights it requires, no other users or roles would need to be assigned to the database. This would restrict access to the database through the application, except for those with administrative access to the SQL Server.
—Lynn P.