06-07-2020, 12:04 PM
Hi, everybody,
I write here on behalf of my company because it is conducting a security audit on internal systems, in particular I am in charge of managing sql server so I have to ask technical questions to the team regarding the software ASG Remote Desktop.
Currently our ASG-Remote Desktop installation connects to the sql server with a sql login that is db_owner of the application's db.
These are the questions I have to ask you:
- What are the minimum sql grants that the application needs to operate properly? (is the db_owner role of the application's db enough?)
- Does the application need sysadmin rights to operate correctly?
- The application uses the account sa?
- Which owner should have the applications's dbs?
- Does the application use the CLR Integration Assemblies functionality? If no, can we disable it?
"Application Security is the responsibility of the Application development and Support teams. Application teams are encouraged to follow Microsoft guidelines to enforce best practices. Microsoft Security considerations can be found at: http://msdn.microsoft.com/en-us/library/bb510589.aspx
An example of the best practices to reduce the effects of SQL Injection attacks can be found at: http://msdn.microsoft.com/en-us/library/ms161953.aspx"
- Are MS's best practices in software security already applied?
Thanks
I write here on behalf of my company because it is conducting a security audit on internal systems, in particular I am in charge of managing sql server so I have to ask technical questions to the team regarding the software ASG Remote Desktop.
Currently our ASG-Remote Desktop installation connects to the sql server with a sql login that is db_owner of the application's db.
These are the questions I have to ask you:
- What are the minimum sql grants that the application needs to operate properly? (is the db_owner role of the application's db enough?)
- Does the application need sysadmin rights to operate correctly?
- The application uses the account sa?
- Which owner should have the applications's dbs?
- Does the application use the CLR Integration Assemblies functionality? If no, can we disable it?
"Application Security is the responsibility of the Application development and Support teams. Application teams are encouraged to follow Microsoft guidelines to enforce best practices. Microsoft Security considerations can be found at: http://msdn.microsoft.com/en-us/library/bb510589.aspx
An example of the best practices to reduce the effects of SQL Injection attacks can be found at: http://msdn.microsoft.com/en-us/library/ms161953.aspx"
- Are MS's best practices in software security already applied?
Thanks