Welcome to dbForumz.com!
FAQFAQ    SearchSearch      ProfileProfile    Private MessagesPrivate Messages   Log inLog in

DENY ALL on system SPs in a database

  
   Database Forums (Home) -> Security RSS
Next:  Rename AD group  
Author Message
Mike

External


Since: Jan 31, 2006
Posts: 4



(Msg. 1) Posted: Wed Jul 23, 2008 2:46 pm
Post subject: DENY ALL on system SPs in a database
Archived from groups: microsoft>public>sqlserver>security (more info?)
ALL,

We are currently undergoing a SQL injection attack. While I have denied
all access to system tables in the databases for the account in
question, I was wondering if there is any risk in denying execute rights
on all the system stored procedures in the database as well for this
account (which is a sql account I created for our web applications to use)

We are currently using MSSQL Server 2000 in the windows environment

Thoughts?

Thank you in advance!

Mike

 >> Stay informed about: DENY ALL on system SPs in a database 
Back to top
Login to vote
Erland Sommarskog2

External


Since: May 30, 2004
Posts: 1649



(Msg. 2) Posted: Wed Jul 23, 2008 3:47 pm
Post subject: Re: DENY ALL on system SPs in a database [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Mike (mikey@email.unc.edu) writes:
> We are currently undergoing a SQL injection attack. While I have denied
> all access to system tables in the databases for the account in
> question, I was wondering if there is any risk in denying execute rights
> on all the system stored procedures in the database as well for this
> account (which is a sql account I created for our web applications to use)

The system stored procedure lives in master. I don't think you can deny a
user access to these with less than you add this user to master first.

But wouldn't be better to disable this user id entirely?

--
Erland Sommarskog, SQL Server MVP, esquel.DeleteThis@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

 >> Stay informed about: DENY ALL on system SPs in a database 
Back to top
Login to vote
Uri Dimant

External


Since: Aug 24, 2003
Posts: 739



(Msg. 3) Posted: Thu Jul 24, 2008 9:54 am
Post subject: Re: DENY ALL on system SPs in a database [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Mike
Do not let the user access to the master database. Does the account you
connect to have sysadmin privilege?




"Mike" wrote in message

> ALL,
>
> We are currently undergoing a SQL injection attack. While I have denied
> all access to system tables in the databases for the account in question,
> I was wondering if there is any risk in denying execute rights on all the
> system stored procedures in the database as well for this account (which
> is a sql account I created for our web applications to use)
>
> We are currently using MSSQL Server 2000 in the windows environment
>
> Thoughts?
>
> Thank you in advance!
>
> Mike
 >> Stay informed about: DENY ALL on system SPs in a database 
Back to top
Login to vote
Mike

External


Since: Jan 31, 2006
Posts: 4



(Msg. 4) Posted: Fri Jul 25, 2008 11:06 am
Post subject: Re: DENY ALL on system SPs in a database [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Currently the user does not have rights to the master database and the
account does not have any other rights other than dataread and datawrite.

The Injection utilized the web account to read the sysobjects and
syscolumns tables in one specific database and then utilize the results
to update the data within the tables they found containing text datatypes.

I modified the rights of the web account to explicitly deny all rights
to the system tables and that has worked to keep the attacker out.

Mike

Uri Dimant wrote:
> Mike
> Do not let the user access to the master database. Does the account you
> connect to have sysadmin privilege?
>
>
>
>
> "Mike" wrote in message
>
>> ALL,
>>
>> We are currently undergoing a SQL injection attack. While I have denied
>> all access to system tables in the databases for the account in question,
>> I was wondering if there is any risk in denying execute rights on all the
>> system stored procedures in the database as well for this account (which
>> is a sql account I created for our web applications to use)
>>
>> We are currently using MSSQL Server 2000 in the windows environment
>>
>> Thoughts?
>>
>> Thank you in advance!
>>
>> Mike
>
>
 >> Stay informed about: DENY ALL on system SPs in a database 
Back to top
Login to vote
Display posts from previous:   
Related Topics:
**Deny** - Hi I am working with SQL 2000 and I want to prevent some users of some editing action and I could successfully do it by following statement, DENY SELECT, INSERT, UPDATE, DELETE ON authors TO Mary, John, Tom Now, I want to know how can I automaticall...

Difference in Login Deny vs Login Disable - What would be the difference between login deny vs login disable ? I see those 2 options and feel they sound the same. When would I use one vs the other ?

System.Data error '80131904' - Have a .net assembly, strong named, on an IIS box running Win 2000 Advanced Server (box is in DMZ). Web site connects to a Sql Server box (not in DMZ). The legacy asp app has no problem connecting to Sql Server, but when the dll is invoked in the asp...

Logon from remote system error - Hi all, When I am installing Commerce Server on my SQL Server 2005 machine I get an error reported in the logs that that says "Login failed for user 'CSNET\taziegma'. [CLIENT: 192.168.25.12] Error: 18456, Severity: 14, State: 16. I have looked o...

Can not access the Deleted System Table -
   Database Forums (Home) -> Security All times are: Pacific Time (US & Canada)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You can edit your posts in this forum
You can delete your posts in this forum
You can vote in polls in this forum



[ Contact us | Terms of Service/Privacy Policy ]