Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Sql Server: How to Deny users access to linked servers

I'd like to deny access to query linked servers to a group of users. I've put them in a role and assigned certain permissions to object level permissions to the that group. I'm at a loss after searching BOL and 'net how to DENY access to linked servers.

EDIT:

I decided to break out profiler to verify exactly what SSMS is calling when displaying linked servers and ensure that a DENY was issued on that system view/SP. Turns out it calls sys.servers, but Sql Server doesn't honor the ACL on this system view -- It's does to other system views (ex: sys.dm_db_index_physical_stats).

like image 454
Chad Avatar asked Jun 28 '10 20:06

Chad


People also ask

How do I restrict access to SQL Server database?

Use SQL Server Management StudioRight-click the database to change, and then select Properties. In the Database Properties dialog box, select the Options page. From the Restrict Access option, select Single. If other users are connected to the database, an Open Connections message will appear.

Can you disable a linked server in SQL Server?

To remove a linked server, use the sp_dropserver system stored procedure. This removes a server from the list of known remote and linked servers on the local instance of SQL Server. This stored procedure accepts two arguments: the server name, and an optional argument for removing any logins associated with the server.

How do I provide access to a linked server in SQL Server?

Open SQL Server Management Studio and connect to an instance of SQL Server. In the Object Explorer, expand the node for the SQL Server database. In the Server Objects node, right-click Linked Servers and click New Linked Server. The New Linked Server dialog is displayed.


2 Answers

Here is a workaround I just thought of:

On Linked Server Properties dialog box, Properties tab; add users that you don't want to access the linked server. Then, assign them some dummy user/pass combination that will be rejected on target server.

like image 149
Miha Avatar answered Sep 24 '22 23:09

Miha


Afaik referencing a linked server is not controlled by access control lists (ACLs). In other words, you cannot GRANT/DENY/REVOKE permission to use a linked server. You can certainly control the permission to change a linked server via ALTER ANY LINKED SERVER permission.

This apparent lack of permission is because the linked servers are forwarding specific credentials to the remote server, controlled via the impersonation or the remote_logins settings associated with the linked server. The actual access control happens on the remote server, using the credentials associated with the linked server. So in order to deny a group of users access to the linked server, you need to deny that group access to the remote server on the remote server itself.

like image 20
Remus Rusanu Avatar answered Sep 26 '22 23:09

Remus Rusanu