2012年2月24日星期五

Disable Windows Authentication mode in WDA

Hi,
I have installed MS SQL Server 2005 Express Edition, and SQL Web Data
Administrator on my Windows 2003 webserver with IIS 6.0
Everything works fine but I want to deny the users to log on WDA using
Windows Integrated authentication.
At the moment when i open http://ipaddress/webadmin in IE, I get
following textboxes:
Username: SERVERNAME\Administrator (disabled / greyed out)
Password: <blank> (disabled / greyed out)
Server: (local)
and following Radio Buttons:
Authentication Method: Windows Integrated (selected by default)
SQL Login
If I change he Server textbox value from (local) to server\instancename
and click login, it logs me in straight away where I can perform any
admin functions
I dont want any user to log on using windows integrated authentication.
Is there any way around this problem? I dont want my system to get
hacked either, so cant just change default.aspx file and then allow
hackers still to point to my server with some default variable values
and get access
Thanks in advance.
Regards
You cannot disable Windows Authentication mode (:. If you allow the user
logon to the compuer, where SQL Server runs, as administrator, that user can
do anything the SQL Server. Period. So, simply guard that computer's
administrator account as tight as you can. If the you logon the any other
account to the computer, as long as you did not give access to SQL Server to
those user accounts, the SQL Server will be fine. So, you see, if you
developed some solution that uses SQL Server/Express and you delevered it to
your clients. As long as your clients have full right on their computers
(administrator), they can get into the SQL Server/Express you delevered.
<gogaz@.rediffmail.com> wrote in message
news:1161030857.258517.78090@.i42g2000cwa.googlegro ups.com...
> Hi,
> I have installed MS SQL Server 2005 Express Edition, and SQL Web Data
> Administrator on my Windows 2003 webserver with IIS 6.0
> Everything works fine but I want to deny the users to log on WDA using
> Windows Integrated authentication.
> At the moment when i open http://ipaddress/webadmin in IE, I get
> following textboxes:
> Username: SERVERNAME\Administrator (disabled / greyed out)
> Password: <blank> (disabled / greyed out)
> Server: (local)
> and following Radio Buttons:
> Authentication Method: Windows Integrated (selected by default)
> SQL Login
> If I change he Server textbox value from (local) to server\instancename
> and click login, it logs me in straight away where I can perform any
> admin functions
> I dont want any user to log on using windows integrated authentication.
> Is there any way around this problem? I dont want my system to get
> hacked either, so cant just change default.aspx file and then allow
> hackers still to point to my server with some default variable values
> and get access
> Thanks in advance.
> Regards
>
|||Thanks for the reply. I have sorted out the problem now. Actually when
I downloaded WDA from
http://www.microsoft.com/downloads/d...displaylang=en
and installed it on server, it created a folder Samples under
C:\Program Files\Microsoft SQL Server Tools\Microsoft SQL Web Data
Administrator
In that folder I found source code application for WDA. So I opened it
in VS2003 and updated it as per my requirement. Wicked application this
is!!
I will upload it on my server and will post the link here soon I have
updated it further and tested it myself
Regards
Norman Yuan wrote:[vbcol=seagreen]
> You cannot disable Windows Authentication mode (:. If you allow the user
> logon to the compuer, where SQL Server runs, as administrator, that user can
> do anything the SQL Server. Period. So, simply guard that computer's
> administrator account as tight as you can. If the you logon the any other
> account to the computer, as long as you did not give access to SQL Server to
> those user accounts, the SQL Server will be fine. So, you see, if you
> developed some solution that uses SQL Server/Express and you delevered it to
> your clients. As long as your clients have full right on their computers
> (administrator), they can get into the SQL Server/Express you delevered.
> <gogaz@.rediffmail.com> wrote in message
> news:1161030857.258517.78090@.i42g2000cwa.googlegro ups.com...

没有评论:

发表评论