RE: Hiding MS SQL databases in Enterprise Manager

From: Chris Ess (securityfocus_at_cae.tokimi.net)
Date: 11/18/03

  • Next message: Mason, Samuel: "RE: MS03-049 Scanner?"
    Date: Tue, 18 Nov 2003 10:34:25 -0500 (EST)
    To: tgm@elt.com
    
    

    > If they are using Enterprise Manager to access the databases I don't think
    > you can stop that. From what I understand, Enterprise Manager uses the SA
    > login, not a user login. So anyone using it will have complete access and
    > control unless the database owner is not DBO. You could set the database
    > permissions so that certain roles can do what they need to do and other
    > roles can not do anything at all. They may still be able to see the tables,
    > but not what is in them. This would work with ODBC and other data access
    > methods.
    >
    > You should be able to set Enterprise Manager so that only users with
    > administrator rights could run it.

    I appreciate your advice. However, I think this is only valid for when
    Enterprise Manager is run from the SQL Server's machine. In this case,
    you're usually logging in as a trusted account from the machine rather
    than 'sa'.

    You can use Enterprise Manager to connect to a remote SQL Server. You can
    log in with any account that has access to the SQL server rather than just
    the 'sa' user. (And I think logging in remotely with the 'sa' user is a
    rather silly and insecure idea. Although allowing developers remote
    access to your SQL Server may also be a silly and insecure idea.) These
    users do not need to have any sort of server role whatsoever to log in as
    long as the login has been created within the SQL Server.

    While I'm on the topic, does anyone know of serious security issues with
    allowing developers access to the SQL Server remotely through Enterprise
    Manager or another such tool?

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------


  • Next message: Mason, Samuel: "RE: MS03-049 Scanner?"

    Relevant Pages

    • Re: Viewing default db role permissions
      ... > whether that user or role has access to various objects in the database ... > the database in Enterprise Manager, going to the "Role" tree item, ... > checkmarks representing what the role/user has access to and red X's ... > permissions of each of these roles from the SQL Server documentation, ...
      (microsoft.public.sqlserver.security)
    • SQL Server does not exist or access denied
      ... I get the error both in application code and from Enterprise Manager. ... The database is LOCAL. ... Microsoft SQL Server 2000 Developer Edition SP4 ... Once it fails, it will fail ...
      (comp.databases.ms-sqlserver)
    • SQL Server does not exist or access denied
      ... I get the error both in application code and from Enterprise Manager. ... The database is LOCAL. ... Microsoft SQL Server 2000 Developer Edition SP4 ... Once it fails, it will fail ...
      (comp.databases.ms-sqlserver)
    • Re: Maybe the Records Are There After All
      ... Run DBCC UPDATEUSAGE to correct the row count display in Enterprise Mangler. ... Senior Database Administrator ... I support the Professional Association for SQL Server ... > Enterprise Manager and it gave me the sensation that ALL of the data had ...
      (microsoft.public.sqlserver.server)
    • Re: major security concern - any sql user with minimal permission can see code for all stored procs
      ... remove select access (and execute access on selected stored procs in the ... things - and hence has enterprise manager - then this approach won't work. ... If you just want to lock down a database, then I'd try my approace - lock ... >> connected from a remote location to my SQL server at port 1433, ...
      (microsoft.public.sqlserver.security)