具有服务帐户(不是用户帐户)的 SQL Server 集成安全性
[英]SQL Server Integrated Security with a service account (not the user's account)
问题描述
We have an EXE and a DLL that reads/writes to a SQL Server database.
我们有一个 EXE 和一个可以读取/写入 SQL Server 数据库的 DLL。 The EXE and DLL runs on the user's computer. EXE 和 DLL 在用户的计算机上运行。
We would like to connect to SQL Server database using Integrated Security, but not with the user's windows id, instead with a windows service account.我们想使用集成安全连接到 SQL Server 数据库,但不是使用用户的 Windows id,而是使用 Windows 服务帐户。 This way, we don't need to give the users write access to the database.这样,我们不需要授予用户对数据库的写访问权限。
Since the user runs the EXE and DLL on the user's computer, is it possible to set SQL Server connection string to integrated security, but uses a windows service account (not the user's account) ?由于用户在用户的计算机上运行 EXE 和 DLL,是否可以将 SQL Server 连接字符串设置为集成安全,但使用 Windows 服务帐户(不是用户帐户)?
Thank you.谢谢你。
1 个解决方案
解决方案1
0 已采纳 2021-07-29 23:56:23
Technically you could, though it is not a good idea.从技术上讲,您可以,尽管这不是一个好主意。 What you have not described is your reasoning for this requirement.你没有描述的是你对这个要求的推理。
This feels like an XY issue, by running a user application in the context of another security account, you are creating a security window that other processes might be able to hijack.
Bold claim right... If the user is running the application, then they must have a saved or stored credential for the elevated security account, or that user must have knowledge of the elevated credential.
Running background services in the context of a different account is perfectly acceptable, but when you script impersonation into how your user application executes this creates vulnerabilities, either in the way you script it and how the credential is stored, or once the user is in your application, any file access dialog, like an export, file open, file save dialog gives your user access to the filesystem and the network in the context of the account you have impersonated.在不同帐户的上下文中运行后台服务是完全可以接受的,但是当您编写脚本模拟用户应用程序的执行方式时,这会产生漏洞,无论是编写脚本的方式和凭据的存储方式,还是一旦用户进入您的应用程序,任何文件访问对话框,如导出、文件打开、文件保存对话框,都可以让您的用户在您模拟的帐户的上下文中访问文件系统和网络。 Depending on your application this could be a good thing, or a bad thing, but it is often overlooked in UX.根据您的应用程序,这可能是好事,也可能是坏事,但它在 UX 中经常被忽视。
What is further overlooked is that everything that your application does, every audit trace, every log, everything will show up as the service account, not the user account.进一步被忽视的是,您的应用程序所做的一切、每个审计跟踪、每个日志、一切都将显示为服务帐户,而不是用户帐户。 When there is a security breach and you need to trace it, you cannot separate the individual user accounts, everyone will look like this one service account, in this case, it extends to SQL Server audits and security profiling, the whole environment will look like one user using the database and that one user will probably have the highest privileges inside SQL Server, meaning it only takes one console to be compromised and that one console probably has rights to run DDL statements and could seriously cause some trouble.当出现安全漏洞并且需要追踪时,不能将单个用户帐户分开,每个人都会看起来像一个服务帐户,在这种情况下,它扩展到 SQL Server 审计和安全分析,整个环境看起来像一位用户使用数据库,而一位用户可能在 SQL Server 中拥有最高权限,这意味着只需要一个控制台就可以被攻破,而一个控制台可能有权运行 DDL 语句,这可能会导致一些严重的问题。
I can't over-state this, everyone accessing the database over a single credential, is a very bad security practice and is laughing in the face of the very robust security mechanisms built into SQL Server.
Instead, use the domain security to your advantage.相反,使用域安全性为您带来好处。 Do not be concerned about having write access to the database files, if you want your user to insert a record, it makes sense that they need windows security rights to modify the file.不要担心对数据库文件的写访问权限,如果您希望您的用户插入记录,那么他们需要 Windows 安全权限来修改文件是有道理的。 I would be more concerned that I knew who was accessing my files and when, that can only happen if they have individual accounts.我会更担心我知道谁在访问我的文件以及何时访问我的文件,这只有在他们拥有个人帐户的情况下才会发生。
If it is the management overhead that you are concerned about, then create a security group and put the necessary users into that security group.如果您关心的是管理开销,则创建一个安全组并将必要的用户放入该安全组。 Then you manage the file-level access be assigning the group jut to the files that are needed.然后,您通过将组分配给所需的文件来管理文件级访问。 Inside SQL server you can further restrict the access level to SQL operations for that user在 SQL Server 内部,您可以进一步限制该用户对 SQL 操作的访问级别
Remember that the alternative is probably to make the service account a DB Admin role or owner for the database, so any user of your app could drop the database.
If you want to use Integrated Security, then the users must already be trusted to access domain resources, the database is just another domain resource, so the security management should be treated the same.如果要使用集成安全,那么必须已经信任用户才能访问域资源,数据库只是另一个域资源,因此安全管理应该被同等对待。 The biggest reason that we want unique accounts for users is so that we can easily restrict or revoke access to individuals without having to affect ALL users on the domain.我们希望用户拥有唯一帐户的最大原因是,我们可以轻松限制或撤销对个人的访问权限,而不必影响域中的所有用户。
The best way to disassociate your users from direct access to the database is to setup a tiered DAL layer where the DAL is deployed as a standalone service that the apps communicate with, this service can run in the context of a specific user account for database operations.将用户与直接访问数据库分离的最佳方法是设置分层 DAL 层,其中 DAL 部署为应用程序与之通信的独立服务,该服务可以在特定用户帐户的上下文中运行以进行数据库操作. This usually involves substantial changes to your application design but it still introduces all the issues listed above with SQL Security implementation, yes it might solve a network security issue, but there is no easy way to apply individual user or role based security at the database level if everyone is using the same account, meaning you have the responsibility of managing this at the application level.这通常涉及对您的应用程序设计进行重大更改,但它仍然会引入上面列出的所有 SQL 安全实现问题,是的,它可能会解决网络安全问题,但是没有简单的方法在数据库级别应用基于个人用户或角色的安全性如果每个人都使用相同的帐户,则意味着您有责任在应用程序级别管理此帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.