RE: Hiding MS SQL databases in Enterprise Manager
From: Henry Sieff (hsieff_at_orthodon.com)
Date: 11/18/03
- Previous message: Vidar Tyldum: "Re: MS03-049 Scanner?"
- Maybe in reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Sergey V. Gordeychik: "RE: Hiding MS SQL databases in Enterprise Manager"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: 'Chris Ess' <securityfocus@cae.tokimi.net>, focus-ms@securityfocus.com Date: Tue, 18 Nov 2003 11:48:09 -0600
Actually, there is no way to do this. In query Analyzer, users are blocked
from seeing databases that they have no access to (because of the was query
analyzer enumerates the databases).
You see, enumerating the databases is a function of reading the table
sysdatabases in the Master database. All users have to be able to read this
table in general. Query Analyzer goes further and checks permissions before
enumerating, EM doesn't. But, even in QA, the user could run a query against
master to find the database.
Your best bet is to move users away from EM, since its actually a poor tool
for working with the data (its intention is administration, not data
access). However, if you are a hosting provider and your users ARE using EM
to administer their specific db's, then the only way you are going to get
around htis problem is to multiple virtual instances of SQL server for each
client.
We use Query Analyzer for raw data access, and Access/VB forms or web pages
for users. EM is only for administration.
Henry
> -----Original Message-----
> From: Chris Ess [mailto:securityfocus@cae.tokimi.net]
> Sent: Monday, November 17, 2003 9:22 AM
> To: focus-ms@securityfocus.com
> Subject: Hiding MS SQL databases in Enterprise Manager
>
>
> I figure there has to be a way to do this. Unfortunately, I've been
> unable to turn up anything on google, so...
>
> When I create a database in the Microsoft SQL Server, it
> shows up under
> 'Databases' in Enterprise Manager for any user who logs in,
> whether or not
> they have permissions to access it. Since this could potentially be a
> security issue, I would like to set it up so that users can only see
> databases for which they've been assigned a role.
>
> The SQL server uses mixed-mode authentication and cannot be changed.
>
> The server in question is currently Microsoft SQL Server 7,
> but any advice
> or pointers for Microsoft SQL Server 2000 would be
> appreciated as well.
>
> Sincerely,
>
>
> Chris Ess
> System Administrator / CDTT (Certified Duct Tape Technician)
>
> --------------------------------------------------------------
> -------------
> Network with over 10,000 of the brightest minds in
> information security
> at the largest, most highly-anticipated industry event of the year.
> Don't miss RSA Conference 2004! Choose from over 200 class
> sessions and
> see demos from more than 250 industry vendors. If your job touches
> security, you need to be here. Learn more or register at
> http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
> and use priority code SF4.
> --------------------------------------------------------------
> -------------
>
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
and use priority code SF4.
---------------------------------------------------------------------------
- Previous message: Vidar Tyldum: "Re: MS03-049 Scanner?"
- Maybe in reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Sergey V. Gordeychik: "RE: Hiding MS SQL databases in Enterprise Manager"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
