Hi all,
I have setup a new SQL 2000 SP4 and internal auditor query about revoke permission from Public role and remove guest from all databases.
1. Can I revoke all default permissions (select on system tables in all DBs) from "Public" role? I am concern any error after such action.
2. I found that guest account in DB -- master, tempdb and msdb. According to Microsoft documents. The account should not remove and can't from master and tempdb. How about msdb?
Thanks,
Regards,
Edwin
1. You may of course get errors from users trying to access system tables without being specifically granted access. You can resolve these issues by granting access to those users.
2. guest cannot be actually dropped - it can only be denied access to the database (hasdbaccess will show as 0). The msdb database is used by replication and SQL agent, among other components. You should check on the respective forums to see the impact of disabling guest access to the msdb database: SQL Server Replication and SQL Server Tools General.
Thanks
Laurentiu
Thanks Laurentiu.
1. I have a search on web, some people mentioned that if revoke the default privilege from "Public" role on DBs (inclu. select system table, execute stored proc.). Microsoft wouldn't support my issues on this SQL in future. Is it true?
Thanks!
Edwin
|||Microsoft may not be able to provide support if the user directly modifies system tables. Since all you are doing is changing permissions, your product will still be supported. Keep in mind that some features may require "public" to function properly. I can't think of any off the top of my head so once you come up with this locked down configuration you will have to do some verification testing to ensure that the functionality that you require works.
|||
As long as the changes that you make are made using documented features (revoking a permission using REVOKE statement is a documented feature), then you don't have to worry about invalidating your support options.
You should avoid making changes using undocumented techniques, such as, for example, directly updating system tables.
Thanks
Laurentiu
No comments:
Post a Comment