Showing entries 1 to 1
Displaying posts with tag: principle of least privilege (reset)
A Long Overdue Database Security Rant

I've been dealing with a security product from a security company in recent days that breaks best practices with respect to the database configuration. This has reminded me of the list of issues I've seen over the past six months that have raised my ire. I'll rail mostly at products that use SQL Server as the back-end, but I'll save the last example for one that uses MySQL. It's not the database products that are weak. It's the application implementation on them!

Case #1: Don't EVER use SA and don't enable the network if you don't have to!

This said security product recommends the use of SQL Server if you are using it on over 1,000 users. Okay, no problem. It wants its own instance. Okay... that raises a flag in and of itself. Is performance really that bad? Well, no, not likely. Here's the kicker:

To install the application you must use the sa account. Not a service account with sysadmin rights …

[Read more]
Showing entries 1 to 1