General discussion


Lockdown...the exception to the rule?

By MirrorMirror ·
Let me put in my disclaimer ... I was not at this company when they initially rolled out SQL Server. All of our database servers, including production, were open to God and his brother when I got here, but I have been slowly changing that.

I am the SQL Server DBA for a midsized private company. I have recommended that the SQL Server backend be as secure as possible to our management. Management is supportive of this. After thinking about how to secure a database server, reading SQL Server Operations Guide, and checking out a lot of web sites, it seems to be best practice to follow the recommendations at All of the recommendations are pretty common sense and should be no big deal. And, if a vendor or developer needs to use something that should normally not be accessed, then I am willing to work with them on that.

I have come up with a list of things that need to be locked down on my servers and have started implementing the new security measures. Most vendors have been very helpful when I have approached them with my list of things to change. Things are going relatively well.

However, I have had a couple of vendors who have acted perfectly incredulous that I want to secure my servers. It got me to most of the places I have been, security is one of the last things to be thought about. I know that when new software is installed that it is easy to open up security on both the app and database so that the newly installed software will work, but it is easy to forget to go back and lock your server down later. Unfortunately, a lot of companies still operate like this.

I, of course, would not lock a server so tight that users can't perform their jobs. I just just know it's bad to allow developers or users to connect to a production database server with excessive privileges. I have even experienced hack attempts that have been repelled because we have some security in place. So, I have been proven right to secure my servers.

Am I the exception to the rule in that I want to secure my database servers? How do vendors respond when you tell them that you are going to secure your database server? What do you do....Lockdown or No Lockdown??

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Related Discussions

Related Forums