(Please forgive me for cross posting on this one)
I am attemptign to offer some kind of hosting of SQL databases as an add-on
to a Web Platform i have built. Unfortunately my SQL knowlwedge is a little
short of l33t.
My question is this:
Is it better to write a web front end to allow the customer to adminsiter
their databases, or to allwo them access to Enterprise manager, from where
they can administer their databases.
thanks
Martin[dot]Christopher[at]uk[dot]easynet[dot]netI think it's a bit risky to give folks access to Enterprise manager, and
it's not usually the done thing. By using a tool you develop you can control
exactly what the customer can do.
"Martin c" <martin@.nospam.com> wrote in message
news:eINWglQfDHA.1888@.TK2MSFTNGP12.phx.gbl...
> (Please forgive me for cross posting on this one)
> I am attemptign to offer some kind of hosting of SQL databases as an
add-on
> to a Web Platform i have built. Unfortunately my SQL knowlwedge is a
little
> short of l33t.
> My question is this:
> Is it better to write a web front end to allow the customer to adminsiter
> their databases, or to allwo them access to Enterprise manager, from where
> they can administer their databases.
> thanks
> Martin[dot]Christopher[at]uk[dot]easynet[dot]net
>|||Yes, I think there is still a risk, but you could reduce this by using some
of the following:
You could use a stored procedure to execute their statements, and give the
user execute rights to this proc only.
By checking the type (sysobjects.type) of any tables they were trying to
access, you could limit their access to system objects.
"Martin c" <martin@.nospam.com> wrote in message
news:OFAWktQfDHA.556@.TK2MSFTNGP11.phx.gbl...
> I was considering a simple bit of ASP that allows them to riun SQL scripts
> (entered into a text box) on the server, and include some command
checking.
> The scripts would all be run under the contezt of the user in question.
> Would i be right in assuming though, that withough specific subroutines to
> avoid contact with any system databases, it would be possible for a
> malicious user to gleam enough information out of the server to launch an
> attackt hat has a fairly high probility of compramising the server ?
> M
>
> "Nick Hindle" <nick.hindle@.NOSPAMtesco.co.uk> wrote in message
> news:%23sS7GoQfDHA.460@.TK2MSFTNGP12.phx.gbl...
> > I think it's a bit risky to give folks access to Enterprise manager, and
> > it's not usually the done thing. By using a tool you develop you can
> control
> > exactly what the customer can do.
> >
> > "Martin c" <martin@.nospam.com> wrote in message
> > news:eINWglQfDHA.1888@.TK2MSFTNGP12.phx.gbl...
> > > (Please forgive me for cross posting on this one)
> > >
> > > I am attemptign to offer some kind of hosting of SQL databases as an
> > add-on
> > > to a Web Platform i have built. Unfortunately my SQL knowlwedge is a
> > little
> > > short of l33t.
> > >
> > > My question is this:
> > > Is it better to write a web front end to allow the customer to
> adminsiter
> > > their databases, or to allwo them access to Enterprise manager, from
> where
> > > they can administer their databases.
> > >
> > > thanks
> > > Martin[dot]Christopher[at]uk[dot]easynet[dot]net
> > >
> > >
> >
> >
>|||Thanks for your help here Nick. I'll go write soem code and see what i can
come up with.
M
"Nick Hindle" <nick.hindle@.NOSPAMtesco.co.uk> wrote in message
news:%23Fn9h3QfDHA.2400@.TK2MSFTNGP11.phx.gbl...
> Yes, I think there is still a risk, but you could reduce this by using
some
> of the following:
> You could use a stored procedure to execute their statements, and give the
> user execute rights to this proc only.
> By checking the type (sysobjects.type) of any tables they were trying to
> access, you could limit their access to system objects.
[SNIP]|||Hi Martin,
What kind of functions would you provide to the customer? If you want to
code yourself, it would require a lof of extra efforts if you want to
provide flexible management and functions.
If you fear that Enterprise Manager provides too many functions for
customer to easily destroy SQL Server databases, you can restrict their
permissions. And let them know that customers who do not need management
ability cannot install Enterprise Manager.
Bill Cheng
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
This posting is provided "as is" with no warranties and confers no rights.
--
| From: "Martin c" <martin@.nospam.com>
| Subject: Hosting Environment - Advice please
| Date: Wed, 17 Sep 2003 11:49:29 +0100
| Lines: 15
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2800.1158
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
| Message-ID: <eINWglQfDHA.1888@.TK2MSFTNGP12.phx.gbl>
| Newsgroups:
microsoft.public.sqlserver.security,microsoft.public.sqlserver.server,micros
oft.public.sqlserver.setup
| NNTP-Posting-Host: ninja.noc.uk.easynet.net 195.40.7.160
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
| Xref: cpmsftngxa06.phx.gbl microsoft.public.sqlserver.server:306886
microsoft.public.sqlserver.setup:57712
microsoft.public.sqlserver.security:15843
| X-Tomcat-NG: microsoft.public.sqlserver.server
|
| (Please forgive me for cross posting on this one)
|
| I am attemptign to offer some kind of hosting of SQL databases as an
add-on
| to a Web Platform i have built. Unfortunately my SQL knowlwedge is a
little
| short of l33t.
|
| My question is this:
| Is it better to write a web front end to allow the customer to adminsiter
| their databases, or to allwo them access to Enterprise manager, from where
| they can administer their databases.
|
| thanks
| Martin[dot]Christopher[at]uk[dot]easynet[dot]net
|
|
|
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment