Tuesday, March 20, 2012

Replication and security..is it really this UNSECURE!

Hi Guys
I need to create an anonymous pull subscription over the Internet.
I've got everything working but I don't want my subscribers to be able
to connect to the publisher/distributor via Enterprise Manager or
ISQLW or anything else for that matter!! Basically they should only
be able to talk to the Publishing SQL Server through replication
methods. How is this achieved?
I'm currently using SQL Security because I don't want an anonymous
subscriber to impersonate my publishers sqlserver agent account, the
agent on the publisher is used for other scheduled tasks that needs
Domain Admin privileges, am I missing something here!!'
Currently I've got it secure-ish. I've used a specific sql account
and given it access in the PAL and removed the guest account from
other DBs, however you cannot remove the guest account from Master or
Msdb and said account must also be a member of the db_owner role. The
most they can do is issue select statements against tables but I think
that is even too much, for instance they can query sysservers which
would allow them to see other subscribers that we do business with.
Even if I use a secure VPN between publisher and subscriber what's to
stop an inquistive subscriber, using the SQL account that I've told
them to use for their subscription, connecting using EM or ISQLW
through the VPN? Surely there must be a way to give ONLY replication
access but nothing else?
Please help!!What type of Replication are you implementing? Snapshot/Transactional or
Merge ?
If they have the data on the Subscriber, there would really be no need to
connect to the Publisher. So, if the users are connecting to the
Subscribing database, that's all they should need.
Are you attempting to restrict access to the Subscribed database?
There isn't a way to restrict access FROM a particular application. So, if
you allow the user to connect to the Server and grant them access to the
database, then they have access from *any* odbc or oledb application.
There isn't a way to restrict this.
Replication works using the accounts designated with the Agents. It
doesn't rely on what permissions the users have.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
Posted by debtertf at 2:09 AM
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)