RE: Hiding MS SQL databases in Enterprise Manager
From: Sergey V. Gordeychik (gordey_at_infosec.ru)
Date: 11/19/03
- Previous message: Lela Armstrong: "RE: MS03-049 Scanner?"
- Maybe in reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Mike Theriault: "RE: Hiding MS SQL databases in Enterprise Manager"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 19 Nov 2003 09:57:31 +0300 To: "Chris Ess" <securityfocus@cae.tokimi.net>, <focus-ms@securityfocus.com>
I think it can help:
In SQL 2000 you can put your "secret database" to another SQL server
instance on same server, so - only users who have server login on
"secret" instance can see this database.
Another good practice - is a make this instance "hidden" in network
libraries. "Hiden" instance don't published via SQL Server Resolution
Service (UDP 1434) but listen on well-known port 2433.
Better way - set "secret instance" to listen on high port (5326 for
example), and filter (with IPSec policy for example) 1434 UDP on SQL
server.
Thus only users who know about SQL port can connect to it.
On client side you can specify port with registry,
HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\SuperSocketNetLib\Tcp\
DefaultPort = 5326, or in connection string.
So, we got 2 instance on one server - public on port 1433, and "secret"
whit limited access on port 5326.
Only users, who have login on "secret" instance and know port can
connect it and use it's database.
So, sorry for my English.
-----Original Message-----
From: Chris Ess [mailto:securityfocus@cae.tokimi.net]
Sent: Monday, November 17, 2003 6:22 PM
To: focus-ms@securityfocus.com
Subject: Hiding MS SQL databases in Enterprise Manager
I figure there has to be a way to do this. Unfortunately, I've been
unable to turn up anything on google, so...
When I create a database in the Microsoft SQL Server, it shows up under
'Databases' in Enterprise Manager for any user who logs in, whether or
not
they have permissions to access it. Since this could potentially be a
security issue, I would like to set it up so that users can only see
databases for which they've been assigned a role.
The SQL server uses mixed-mode authentication and cannot be changed.
The server in question is currently Microsoft SQL Server 7, but any
advice
or pointers for Microsoft SQL Server 2000 would be appreciated as well.
Sincerely,
Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)
------------------------------------------------------------------------
--- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- Network with over 10,000 of the brightest minds in information security at the largest, most highly-anticipated industry event of the year. Don't miss RSA Conference 2004! Choose from over 200 class sessions and see demos from more than 250 industry vendors. If your job touches security, you need to be here. Learn more or register at http://www.securityfocus.com/sponsor/RSA_focus-ms_031027 and use priority code SF4. ---------------------------------------------------------------------------
- Previous message: Lela Armstrong: "RE: MS03-049 Scanner?"
- Maybe in reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Mike Theriault: "RE: Hiding MS SQL databases in Enterprise Manager"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
