Re: [Full-disclosure] Database servers on XP and the curious flaw

From: Dave King (davefd_at_davewking.com)
Date: 11/17/05

  • Next message: Vernocchi, Pablo: "RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool"
    Date: Thu, 17 Nov 2005 09:53:40 -0700
    To: full-disclosure@lists.grok.org.uk
    
    

    You are most likely right that by default MSDE and 2005 Express are
    secure by default. I'm sorry for the misunderstanding, I thought I made
    this clear when I said "if the configuration allows the guest account
    access to the database", but I guess I should have added something about
    that by default it's secure. I'm sure this was my mistake because I've
    received at least 3 emails that have pointed this out that SQL server is
    secure by default. Mostly my comment was in reference to "How many
    people at home run a fully fledged RDBMS on their XP systems?". I was
    just trying to point out that more people than we may think _are_
    running database servers on their system.

    Laters,
    Dave King

    James Eaton-Lee wrote:

    >On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote:
    >
    >
    >>While it still may not be "millions of people" several products come
    >>bundled with the desktop edition of SQL Server 2000, and I'm sure many
    >>will come with SQL Server 2005 Express. As far as I can tell by reading
    >>the paper (but not testing it myself) these are probably vulnerable as
    >>well if the configuration allows the guest account access to the database.
    >>
    >>
    >
    >"Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is
    >not vulnerable. Like Oracle, SQL Server authenticates the client using
    >the NTLM SSPI AcceptSecurityContext() function and the user is logged on
    >as Guest, however, as SQL Server requires that a specific user be
    >granted access, the remote user can log in – by default SQL Server
    >doesn’t allow Guest access to the database server. If, for whatever
    >reason, someone has granted either the Guest account or the built-in
    >Guests group access to the SQL Server then a remote user without valid
    >credentials will gain access."
    >
    >I may be wrong, but I'd assume that the way in which SQLDE authenticates
    >is similar to MSSQL and therefore isn't affected by this... feel quite
    >free to correct me, because I don't claim to be an expert on the DE
    >version of SQL! :)
    >
    >This of course wouldn't be the case for databases bundled with insecure
    >permissions (as vendors are apt to do), and that'd probably be what I'd
    >worry about most in these situations.
    >
    > - James.
    >
    >
    >
    >>Dave King
    >>http://www.thesecure.net
    >>
    >>
    >>
    >>>To be honest I don't think we're talking millions of people. How many
    >>>people at home run a fully fledged RDBMS on their XP systems? Very few
    >>>I'd guess. Besides, Simple File Sharing is documented so MS are
    >>>educating those willing to seek information.
    >>>
    >>>
    >>>
    >>_______________________________________________
    >>Full-Disclosure - We believe in it.
    >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    >>Hosted and sponsored by Secunia - http://secunia.com/
    >>
    >>
    >
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Vernocchi, Pablo: "RE: [Full-disclosure] Windows 2003 Logging/Log Analysis Tool"

    Relevant Pages

    • Re: Moving to MS SQL
      ... One additional major point is security: SQL Server can be much more ... Workgroup security was dropped by MSFT in version 2007, ... likely because the company realized it was never very secure. ... Availability also has other aspects, such as redundancy, database ...
      (microsoft.public.access.adp.sqlserver)
    • Re: Securing data against theft of the server or hackers
      ... SQL Server is only secure if you're limited to accessing it via queries. ... But if someone has access to the box, they have access to the database ... Also SQL Server isn't very good for storing lots of large files (eg ...
      (microsoft.public.dotnet.framework.aspnet)
    • Re: Impossible to secure an access Db
      ... permissions on the directory where the SQL Server database file is located ... can attack that database file, ... Client/server databases such as SQL Server and Oracle don't, ... and secure it, then migrate the data to it. ...
      (microsoft.public.access.security)
    • Guest Account
      ... I am trying to delete the guest account from the database: ... tempdb and master, in SQL server. ... Is there a way to get rid of that account? ...
      (microsoft.public.sqlserver.security)
    • Re: Securing data against theft of the server or hackers
      ... columns or an entire database to be encrypted. ... > SQL Server is only secure if you're limited to accessing it via queries. ... > I was more thinking of some kind of encryption system... ...
      (microsoft.public.dotnet.framework.aspnet)