Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Monday, February 20, 2012

Public role granted to user in master database.

In one of our sql server 2000 databases, there is an
application user that has public granted to it in the
master database. Can this be a security issue? There are
no permissions granted on objects just the public role.
I'm awaiting feedback from the vendor to find out why the
user is there. I just want to make sure this user cannot
do any harm to the master database.Not sure what you are saying. Every database has a role named public, you ca
nnot remove this...
Tibor Karaszi, SQL Server MVP
Archive at: http://groups.google.com/groups?oi=...ls
erver
"Erin" <Erin_Regotti@.grainger.com> wrote in message news:a28701c3eb2d$f399e270$a601280a@.phx.gbl...
quote:

> In one of our sql server 2000 databases, there is an
> application user that has public granted to it in the
> master database. Can this be a security issue? There are
> no permissions granted on objects just the public role.
> I'm awaiting feedback from the vendor to find out why the
> user is there. I just want to make sure this user cannot
> do any harm to the master database.
|||And everybody has public access to the master database (via the guest
account, I believe).
Russell Fields
"Erin" <Erin_Regotti@.grainger.com> wrote in message
news:a28701c3eb2d$f399e270$a601280a@.phx.gbl...
quote:

> In one of our sql server 2000 databases, there is an
> application user that has public granted to it in the
> master database. Can this be a security issue? There are
> no permissions granted on objects just the public role.
> I'm awaiting feedback from the vendor to find out why the
> user is there. I just want to make sure this user cannot
> do any harm to the master database.
Posted by subordermqwa at 10:58 PM 0 comments
Labels: , , , , , , , , , , , , , ,

Public role granted to user in master database.

In one of our sql server 2000 databases, there is an
application user that has public granted to it in the
master database. Can this be a security issue? There are
no permissions granted on objects just the public role.
I'm awaiting feedback from the vendor to find out why the
user is there. I just want to make sure this user cannot
do any harm to the master database.Not sure what you are saying. Every database has a role named public, you cannot remove this...
--
Tibor Karaszi, SQL Server MVP
Archive at: http://groups.google.com/groups?oi=djq&as_ugroup=microsoft.public.sqlserver
"Erin" <Erin_Regotti@.grainger.com> wrote in message news:a28701c3eb2d$f399e270$a601280a@.phx.gbl...
> In one of our sql server 2000 databases, there is an
> application user that has public granted to it in the
> master database. Can this be a security issue? There are
> no permissions granted on objects just the public role.
> I'm awaiting feedback from the vendor to find out why the
> user is there. I just want to make sure this user cannot
> do any harm to the master database.|||And everybody has public access to the master database (via the guest
account, I believe).
Russell Fields
"Erin" <Erin_Regotti@.grainger.com> wrote in message
news:a28701c3eb2d$f399e270$a601280a@.phx.gbl...
> In one of our sql server 2000 databases, there is an
> application user that has public granted to it in the
> master database. Can this be a security issue? There are
> no permissions granted on objects just the public role.
> I'm awaiting feedback from the vendor to find out why the
> user is there. I just want to make sure this user cannot
> do any harm to the master database.
Posted by subordermqwa at 10:58 PM 0 comments
Labels: , , , , , , , , , , , , ,

Public role and guest security concern in SQL 2000 SP4

Hi all,

I have setup a new SQL 2000 SP4 and internal auditor query about revoke permission from Public role and remove guest from all databases.

1. Can I revoke all default permissions (select on system tables in all DBs) from "Public" role? I am concern any error after such action.

2. I found that guest account in DB -- master, tempdb and msdb. According to Microsoft documents. The account should not remove and can't from master and tempdb. How about msdb?

Thanks,

Regards,

Edwin

1. You may of course get errors from users trying to access system tables without being specifically granted access. You can resolve these issues by granting access to those users.

2. guest cannot be actually dropped - it can only be denied access to the database (hasdbaccess will show as 0). The msdb database is used by replication and SQL agent, among other components. You should check on the respective forums to see the impact of disabling guest access to the msdb database: SQL Server Replication and SQL Server Tools General.

Thanks
Laurentiu

|||

Thanks Laurentiu.

1. I have a search on web, some people mentioned that if revoke the default privilege from "Public" role on DBs (inclu. select system table, execute stored proc.). Microsoft wouldn't support my issues on this SQL in future. Is it true?

Thanks!

Edwin

|||

Microsoft may not be able to provide support if the user directly modifies system tables. Since all you are doing is changing permissions, your product will still be supported. Keep in mind that some features may require "public" to function properly. I can't think of any off the top of my head so once you come up with this locked down configuration you will have to do some verification testing to ensure that the functionality that you require works.

|||

As long as the changes that you make are made using documented features (revoking a permission using REVOKE statement is a documented feature), then you don't have to worry about invalidating your support options.

You should avoid making changes using undocumented techniques, such as, for example, directly updating system tables.

Thanks
Laurentiu

Posted by subordermqwa at 10:58 PM 0 comments
Labels: , , , , , , , , , , , , , , , , , ,
Subscribe to: Posts (Atom)