I'm new to MS SQL and asking this question as a web developer with limited sysadmin experience who desires his service providers to use best practices.
We have one database on a remote MS SQL server provided by our hosting company. Other clients of our hosting company use this same server for their databases. When I log in to the server using Microsoft SQL Server Management Studio Express, I can see a whole lot of information, including the names of all of the databases on the server and all of the logins.
While I can't access other clients' databases nor see passwords, it seems strange to me that I would even be able to see this information. I certainly don't want other clients to know the name of my database or my login. When I brought up this concern with my service provider, this was his reply:
I checked with my SQL guy and he said that unfortunately is a limitation of MSSQL Server. Although the database names are visible, you cannot access any database without the password for that database.
This is what I see after logging in:
- mssql.server.com
- Databases
- System Databases
- A whole bunch of client databases…
- Security
- Logins
- A whole bunch of client logins…
- Server Objects
- Replication
- Management
- Databases
Is this the right way to set up an SQL Server? Please confirm or deny my suspicion that the answer is no and I need to find someone else to host our database.
Best Answer
Speaking from the development side, I can say that the admin should be able to lock everyone down to their own database (and probably master as well, for metadata). From the MSDN, the list of SQL Server securables includes databases and the permissions include being able to even see the database. Here is a link to the MSDN Security considerations for databases.