Re: Which hardware upgrades are more important
- From: "Rick Brandt" <rickbrandt2@xxxxxxxxxxx>
- Date: Thu, 05 Jan 2006 20:43:42 GMT
Lyle Fairfield wrote:
> I don't pretend to know much about security.
>
> But I do ask:
>
> To get into a website I need (I think) a UserName and Password.
> To get into an Internet enabled MS-SQL Server I need a Username and
> Password.
>
> After I get in, I suppose the UserName is likely to determine how much
> damage I can do. I suppose the Server and Website are somewhat
> similar; it's quite likely that my UserName may not let me do
> unlimited damage.
>
> Companies like Interland rent these web-enabled MS-SQL Server DBs by
> the thousands. I've had several over the years and have never lost
> anything (then again I've never had much there worth stealing!). I've
> never heard of these being broken into, although it's clear upon
> examining the other (not my) dbs on the server that many of their
> owners are very lax about security. I've never heard of any big
> intrusion. Maybe they happen. I'm tempted to ask if someone can break
> into one of mine which I'm not using at present, but maybe that's not
> such a smart idea.
>
> I've worked with MS-SQL servers in multi-million dollar corporations.
> The security is ...well there isn't any. Generally anyone using any db
> on any server has access to EVERYTHING if he/she knows where to look.
> The logins are the Wndows logins so when someone goes to lunch ....
> Of course, they pay their dbo's 60 grand a year ... maybe that's why.
>
> Just rambling on...
I had all of these same questions when they told me that I needed to
re-write my external apps. "SQL Server is supposed to use 'REAL' security
so what's the problem with leaving the port open to the internet?"
I asked around a bit on the SS forums and mostly the responses I got agreed
that leaving the server accessible via the internet was a security risk.
Adding fuel to the fire was all of the MS security bulletins that were
coming around almost daily back then. Until I changed my apps one of our
systems guys made sure to CC me on every one of these that he recieved.
Of course most of those bulletins described exploits that could happen only
if you had no password on the default sa account (well duh!).
All in all I can't complain as I was forced to learn a bunch of new
technologies to make the switch and that's always a good thing.
--
I don't check the Email account attached
to this message. Send instead to...
RBrandt at Hunter dot com
.
- Follow-Ups:
- Re: Which hardware upgrades are more important
- From: David W. Fenton
- Re: Which hardware upgrades are more important
- References:
- Which hardware upgrades are more important
- From: Jeff
- Re: Which hardware upgrades are more important
- From: Lyle Fairfield
- Re: Which hardware upgrades are more important
- From: Jeff
- Re: Which hardware upgrades are more important
- From: Lyle Fairfield
- Re: Which hardware upgrades are more important
- From: paii, Ron
- Re: Which hardware upgrades are more important
- From: Lyle Fairfield
- Re: Which hardware upgrades are more important
- From: paii, Ron
- Re: Which hardware upgrades are more important
- From: Lyle Fairfield
- Re: Which hardware upgrades are more important
- From: Rick Brandt
- Re: Which hardware upgrades are more important
- From: Lyle Fairfield
- Re: Which hardware upgrades are more important
- From: Rick Brandt
- Re: Which hardware upgrades are more important
- From: Lyle Fairfield
- Which hardware upgrades are more important
- Prev by Date: Re: A2003 - Tab to Tab Focus
- Next by Date: SQL syntax - leading zeros
- Previous by thread: Re: Which hardware upgrades are more important
- Next by thread: Re: Which hardware upgrades are more important
- Index(es):
Relevant Pages
|
