SQL Server/Windows集成安全性对任何事情都有好处吗? [英] Is SQL Server/Windows integrated security good for anything?
问题描述
Windows用户权限与任何一组SQL Server GRANT之间的区别似乎是不相关的概念.通常,它似乎实际上是通过伪登录来实现的,用于数据库角色.但这并不能有效地映射回Windows权限.假设进行一次登录身份验证,为什么不只使用最简单的数据库角色呢?
The distinctions among Windows user permissions and any set of SQL Server GRANTs seem like unrelated concepts. As often as not, it seems to actually be implemented with pseudo-logins for database roles; but that doesn't map usefully back to Windows permissions. Assuming single-login identity verification, why not just go with the simplest possible database roles?
到目前为止,我们已经获得了不需要在应用程序中存储密码的单一好处.但是,这似乎比设计目标更是琐碎的有益结果.还有许多其他更直接的方法可以实现这一目标,而无需紧密结合两个领域的整个安全机制.
So far we've picked up the single benefit that you don't need to store a password in your application; but that seems more like a trivial beneficial consequence than a design goal; there are lots of other more direct ways to achieve that, without closely coupling the entire security apparati of both universes.
再次
除了单一登录和SD维护组的能力,从而复制SQL Server中已经存在的组功能(基于相同的用户登录),其他人没有其他好处吗?
EDIT AGAIN:
Doesn't anyone else have any benefit to suggest, other than single login and ability for SD to maintain groups, thereby duplicating the capability for groups (based on the same user login) already existing in SQL Server?
小组问题有几个缺陷,包括假定AD经理被假定具有同等资格来维持这两个缺陷;并且排除了不属于AD的任何网络连接(从而使您无法使用MS技术.)
The group issue has several flaws, including the assumption that the AD manager is assumed to be equally qualified to maintain both; and it excludes any network connections that aren't part of AD (thereby locking you into MS technology.)
用最佳实践的话来说,您已经建立了系统的耦合,这通常被认为是一件坏事.
And to put it in best-practice terms, you've built in coupling of systems, which is generally conceded to be a Bad Thing.
推荐答案
其中许多已经说过或与以前的答案相似...通过AD集成:
Many of these have been said or are similar to previous answers... With AD integration:
a)我不必担心有权访问任何给定应用程序的用户,我可以将其传递给安全人员.
a) I don't have to worry about the users who have access to any given application, I can pass that off to the security guys.
b)我可以基于已经存在的组在表级别上限制对表的访问,也可以强制标准用户只能调用存储的proc.
b) I can restrict access at a table by table level based on groups that already exists, as well as forcing standard users to only have the ability to call stored proc's.
c)当开发人员离开我的小组时,我们不必更改所有数据库密码(即,如果您关心数据安全性...)
c) When a developer leaves my group, we don't have to change all the DB passwords (i.e. if you care about data security...)
d)可以根据进行更改的用户轻松进行自定义日志记录.还有其他方法可以做到这一点,但是我只想变得懒惰.
d) It's easy to do custom logging based on the user who makes the change. There are other ways to do this, but I'm all about being lazy.
e)与IIS身份验证集成.如果您已经在使用IE&您的Intranet的IIS,这使生活变得更加轻松.
e) Integrates with IIS authentication. If you're already using IE & IIS for your intranet, this just makes life a lot easier.
注意:还有更多的理由不使用它,而且我在现任职位之前从未使用过它.在这里,所有内容都已经在AD中排列好了……这是我有史以来使用数据库安全性最简单的时间.
Note: There are far more reasons not to use it, and I never used it before my present position. Here where everything is lined up in AD already... It's just the easiest time I've ever had with database security.
这篇关于SQL Server/Windows集成安全性对任何事情都有好处吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
