14 thoughts on “Still Using Windows Logins for your Databases? You’re Doing it Wrong”

  1. I agree with using groups over user accounts whole heartedly.  However, I disagree with having a seperate group from the DBA group manage the membership of those groups.  As a DBA or application owner it is your responsibility to maintain security and access to your data.  I work for the company that caused SOX to be created and have been through enough audits to know that you can’t blame another group.  If they ask how a certain account gained access to your data you better have an answer.
     
    You also have to have some delegation.  A single organization to manage all AD security groups in a large corporation is not feasible.  You have to delegate the management of those groups to the application owners.
     
    I’m a firm a believer that as a DBA you should at least know the basics of any platform your database sits on.  If it’s on a cluster then you should know the basics of Windows Clustering and SQL Clustering.  If it’s in a domain then you should know the forest architecture and the groups you are using.  You should also know the types of groups you are using and how that could affect access to your data.  There is a big difference between Global Groups, Domain Local Groups, and Universal Groups.

    Reply
    • Ryan,

      My experience says otherwise, but my company had more regulations than just SOX, as do many of the companies I work with currently.

      The line that would be drawn was at the instance level. Anything inside the instance was our responsibility. Outside the instance (i.e., Active Directory) was for a different group. This reduces your risk because it is less likely that someone can gain inappropriate access through something like social engineering. They would need to talk their way past two groups, and not just one person. 

      As a DBA I was responsible for over 3,000 databases and the idea of my small group being able to maintain the “who should have access to what specific systems” is just silly. It’s much more efficient to have a security team add/remove users from AD and let the DBAs focus on the groups and role based security inside the instance itself. 

      That doesn’t mean the DBAs don’t have work to do, but it does mean that at the end of the day we are not the ones with our hands in AD, and we are not the ones approving requests for access.

      HTH,

      Tom

      Reply
      • I’ve worked both sides of the fence (AD and DBA) and I agree that the DBA should not have his hand in AD and the AD guy should not have his hand in SQL.  Reading over everything again I make it sound like the DBA should be handling the AD group by adding and removing members himself (not what I meant).  When I read your comments it sounds like someone could just ask the AD guy to add them to a group because he manages it (I won’t speculate as to your meaning).

        I think what we are missing to articulate here (or at least me) is that there needs to be a process in the middle where a user requests the access, the application owner approves it, the AD guy adds the user to the group, and the DBA already has that group added to the proper roles.

        Roles are another good thing where the same principal should be applied.  Grant access through roles instead of individual accounts or groups.  Of course if you are already using groups like you should be, that becomes much easier to manage.

        Reply
    • Mpaine,

      My experience is that application roles can be limiting in their usefulness. You could certainly still use Windows groups in order to control access to the application itself, and then use an app role to connect to a database. But you will need to perform some extra steps if the app uses certain features such as linked servers.

      Tom

      Reply
  2. We’ve also been burnt by going down the “grant login for each user” path for all the reasons mentioned: multiple environments, staff coming/going/changing roles. This has gotten far worse over time as the number of databases in our organisation has increased.

    So we got wise and decided to rationalise permissions throughout all of our environments. We added groups to Active Directory and granted only those groups access to the databases. What complicated things however was that different people required different levels of access to our Dev/Test/Stg/Trn/Prod environments. So we had to create a different set of groups for each of those environments. 

    The problem then arose that our database deployment tool had only a single source of information for database permissions. That meant whatever permission scheme we defined during development had to be universally applied to all environments, because any manual changes to the permissions in a database (outside source control) would be undone during the next deployment.

    As you can imagine this caused our DBAs much consternation because every time they would add a group in a test environment database, the permission would suddenly disappear each time TeamCity (our Continuous Integration server) did a deploy!

    Our solution was to first de-couple users from the permissions by assigning the permissions to specific roles within the database. Then we would use a naming convention for our groups, eg. CRM Administrators (TEST), CRM Users (PROD) etc, and do a post-checkout string replace on the source-controlled user files so that the appropriate group got granted permission to the roles in each database environment. This is far from ideal and is a pain whenever a new group needs to be created, but it works.

    Despite all this trouble I still believe deployment automation for databases is the way forward for us, but my current thinking is to find a way to segregate security administration in databases from the deployment of the database itself. This way groups could be added or removed manually in the target environment databases without being impacted by the deployment automation. I would be interested to hear if anyone has a more effective solution to this problem.

    We’re also looking at ways to agree on ways to consolidate the roles to reduce this administration burden (right now we’re still in a bit of a reactive mode).

    Reply
    • Daniel,

      That sounds familiar to me as well. The end result was that a few years ago we found that Kerberos only allowed for people to be members of a certain number of groups in AD (I think about 200 or something, probably based on the length of the string which meant we wanted shorter group names and I think MSFT fixed this eventually). 

      Anyway, the idea was the same. We had different permissions for people based upon environments and it was a jumbled mess. But it was a lot better than trying to manage permissions for specific user logins by hand.

      Tom

      Reply
  3. So, who creates the groups if the AD people control AD?
    This is my dilemma, my AD folks want only groups on the databases, and they want a group created for every every permission level on every database on every server on every environment, and then they want to add AD groups into those groups.
    The only problem is that they want all these groups, but they not only control membership but the creation of the groups themselves, and this ends up putting enormous delays into processes which should be taking me moments to do.
    If I have a group that currently has execute privileges on a given database and I want to add write privileges, then I am supposed to put in a request for the group to be created, wait for it to be done, then add it to the database and assign the privilege (hoping they put the right folks into the group), all while the customer is pinging how they can’t do their job. Multiply this by hundreds of databases and you have my current world.

    Reply
    • Dave,

      I used to live in that world, and I believe that is when I started my bacon addiction because adding bacon to anything just makes it better.

      Not only does the customer get frustrated at you for something that is not in your control, but when they are added to groups and things still don’t work right it is up to you to track down the issue. At the end of the day you bear the burden of making things work, no matter how far outside the db engine the problem truly lies.

      Tom

      Reply
  4. I agree that having Windows group instead of windows login is an excellent idea, but I’ve run into a problem that I haven’t been able to figure out.
    Let’s say that we have a group of ADMINs that have access to a SQL instance based on AD group memebership.
    Let’s call that ADMIN_DBA group.
    Now, our company has a policy that all Maintenance Plan are to be owned by the SA account.  So every now and then when auditing SQl instances, I run this query:

    select a.name, a.ownersid, b.name
    from msdb.dbo.sysdtspackages90 a
    left join master.sys.syslogins b on b.sid = a.ownersid

    The problem that I have is when naughty DBA forgets to change the maintenance plan owner over to SA, I can’t tell who it was with the above query, it will just show up b.name as NULL, since they do not have a Windows login stored on the syslogin tables.

    Anybody knows a way around this?  How can I tell what group membership a given SID has?

    Thank you for your help.

    Reply

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.