RE: Hiding MS SQL databases in Enterprise Manager

From: Mike Theriault (Mike_Theriault_at_Jabil.com)
Date: 11/18/03

  • Next message: Floyd Russell: "RE: Hiding MS SQL databases in Enterprise Manager" 
    To: "'Chris Ess'" <securityfocus@cae.tokimi.net>, "'tgm@elt.com'" <tgm@elt.com>
Date: Tue, 18 Nov 2003 16:53:01 -0500

    Using any sort of SQL Server login authentication is typically not a good
    idea to begin with. You'll want to use Windows authentication in almost
    every case since it is VERY easy to crack SQL passwords. It is even easier
    to get passwords when Software Application Developers hardcode sql account
    information in applications. As far as Developers using the Enterprise
    Manager to access remote SQL instances is concerned, this should be a
    non-issue as long as they're logging in using Windows NT authentication.

    The only time I ever log in as 'sa', is when I initially create a SQL
    instance and assign my Windows domain account with sa privileges. After
    that, there is never a case when I use 'sa'.

    Mike Theriault

    -----Original Message-----
    From: Chris Ess [mailto:securityfocus@cae.tokimi.net]
    Sent: Tuesday, November 18, 2003 10:34 AM
    To: tgm@elt.com
    Cc: focus-ms@securityfocus.com
    Subject: RE: Hiding MS SQL databases in Enterprise Manager

    > If they are using Enterprise Manager to access the databases I don't think
    > you can stop that. From what I understand, Enterprise Manager uses the SA
    > login, not a user login. So anyone using it will have complete access and
    > control unless the database owner is not DBO. You could set the database
    > permissions so that certain roles can do what they need to do and other
    > roles can not do anything at all. They may still be able to see the
    tables,
    > but not what is in them. This would work with ODBC and other data access
    > methods.
    >
    > You should be able to set Enterprise Manager so that only users with
    > administrator rights could run it.

    I appreciate your advice. However, I think this is only valid for when
    Enterprise Manager is run from the SQL Server's machine. In this case,
    you're usually logging in as a trusted account from the machine rather
    than 'sa'.

    You can use Enterprise Manager to connect to a remote SQL Server. You can
    log in with any account that has access to the SQL server rather than just
    the 'sa' user. (And I think logging in remotely with the 'sa' user is a
    rather silly and insecure idea. Although allowing developers remote
    access to your SQL Server may also be a silly and insecure idea.) These
    users do not need to have any sort of server role whatsoever to log in as
    long as the login has been created within the SQL Server.

    While I'm on the topic, does anyone know of serious security issues with
    allowing developers access to the SQL Server remotely through Enterprise
    Manager or another such tool?

    Sincerely,

    Chris Ess
    System Administrator / CDTT (Certified Duct Tape Technician)

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Network with over 10,000 of the brightest minds in information security
    at the largest, most highly-anticipated industry event of the year.
    Don't miss RSA Conference 2004! Choose from over 200 class sessions and
    see demos from more than 250 industry vendors. If your job touches
    security, you need to be here. Learn more or register at
    http://www.securityfocus.com/sponsor/RSA_focus-ms_031027
    and use priority code SF4.
    ---------------------------------------------------------------------------

  • Next message: Floyd Russell: "RE: Hiding MS SQL databases in Enterprise Manager"

    Relevant Pages

    • Re: Database security design with ASP.net and form-based authentication
      ... This allows SQL Server to control security from both ... database security context to enable when a user belongs to multiple roles ... the single login approach is best in your situation since you don't ...
      (microsoft.public.sqlserver.security)
    • Re: Security Implementation???
      ... > MSDE, ... > In users node in the db node, only dbo with no login name exists. ... Make the security machine independent, ... running the SQL Server Agent (especially if you are running MSDE sp4 as ...
      (microsoft.public.sqlserver.security)
    • Re: Login with no Fixed Server Role and DB Role can stop SQL Agent Service?
      ... a Window 2000 Login with Domain User default permissions, ... > actually answered the question about the permissions the user has re: ... Forget about SQL Server for the moment. ... >> Enterprise Manager, but he is still able to stop the SQL Agent ...
      (microsoft.public.sqlserver.security)
    • Re: Log in problem
      ... Open Enterprise Manager and right click on the server node. ... Select Edit SQL Server Registration Properties. ... You may also just be experiencing a login time...it's hard ... >not log into my local database however I can log into a ...
      (microsoft.public.sqlserver.clients)
    • Re: application login , but user security
      ... SQL Server security context is determined by the login used to connect to ... SQL Server or an application role enabled after the connection is made. ... ES_MTO uses a single login, you won't be able to implement a SQL Server ... USERA logins in to the ES-MTO ...
      (microsoft.public.sqlserver.security)