> Well maybe you shouldn't be storing your username and pw in > your datasource in the first place.
This is no worse than storing it in your application code, generally. Both alternatives are less than optimal. > You shouldn't just let people access your datasource just > because they know its name. I agree that usernames and passwords should not be self-evident based on datasource names. > In theory you shouldn't see datasources that you don't have > access to if you choose not to see them, but you could argue > either way. You can always argue either way. However, in this particular case, you would be wrong to argue that showing database names to people who can't access those databases isn't a clear violation of IT security best practices. > I wouldn't want somebody creating a database on my server, and > then not giving me access to it, and for enterprise manager to > not even show that database to me. That's an even bigger security > hole. (Think Sony with their DRM rootkit technology). In this case, the security hole would be that someone else can create a database on "your" server, not that you can't see it. If someone can create a database without authorization or install a rootkit on your server, in one very important respect it is no longer your server. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ Fig Leaf Software provides the highest caliber vendor-authorized instruction at our training centers in Washington DC, Atlanta, Chicago, Baltimore, Northern Virginia, or on-site at your location. Visit http://training.figleaf.com/ for more information! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:229244 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
