RE: Hiding MS SQL databases in Enterprise Manager

From: Chris Ess (securityfocus_at_cae.tokimi.net)
Date: 11/18/03

  • Next message: Mason, Samuel: "RE: MS03-049 Scanner?"
    Date: Tue, 18 Nov 2003 10:34:25 -0500 (EST)
    To: tgm@elt.com
    
    

    > If they are using Enterprise Manager to access the databases I don't think
    > you can stop that. From what I understand, Enterprise Manager uses the SA
    > login, not a user login. So anyone using it will have complete access and
    > control unless the database owner is not DBO. You could set the database
    > permissions so that certain roles can do what they need to do and other
    > roles can not do anything at all. They may still be able to see the tables,
    > but not what is in them. This would work with ODBC and other data access
    > methods.
    >
    > You should be able to set Enterprise Manager so that only users with
    > administrator rights could run it.

    I appreciate your advice. However, I think this is only valid for when
    Enterprise Manager is run from the SQL Server's machine. In this case,
    you're usually logging in as a trusted account from the machine rather
    than 'sa'.

    You can use Enterprise Manager to connect to a remote SQL Server. You can
    log in with any account that has access to the SQL server rather than just
    the 'sa' user. (And I think logging in remotely with the 'sa' user is a
    rather silly and insecure idea. Although allowing developers remote
    access to your SQL Server may also be a silly and insecure idea.) These
    users do not need to have any sort of server role whatsoever to log in as
    long as the login has been created within the SQL Server.

    While I'm on the topic, does anyone know of serious security issues with
    allowing developers access to the SQL Server remotely through Enterprise
    Manager or another such tool?

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Mason, Samuel: "RE: MS03-049 Scanner?"