Re: Hiding MS SQL databases in Enterprise Manager
From: Thor (thor_at_hammerofgod.com)
Date: 11/20/03
- Previous message: Henry David Christopherson: "iis - authenticate thru domain username/password"
- In reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Cesar: "Re: Hiding MS SQL databases in Enterprise Manager"
- Reply: Cesar: "Re: Hiding MS SQL databases in Enterprise Manager"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Chris Ess" <securityfocus@cae.tokimi.net>, <focus-ms@securityfocus.com> Date: Wed, 19 Nov 2003 15:51:02 -0800
> When I create a database in the Microsoft SQL Server, it shows up under
> 'Databases' in Enterprise Manager for any user who logs in, whether or not
> they have permissions to access it. Since this could potentially be a
> security issue, I would like to set it up so that users can only see
> databases for which they've been assigned a role.
I know you've received many comments on this- some that are wildly
inaccurate- but let's ignore those for now...
Your security model should start at the authentication infrastructure for
your SQL servers, not at preventing a list of them. Spend your time
properly configuring and securing your servers, not trying to obfuscate
their existence. Most are probably all at 1433, which would be easily
scanned for. The "hide" option just moves it to known port, and a 2 byte
query to the instance mapper on UDP 1434 tells all anyway.
Besides, when the servers come on line, they register themselves with the
master browser. "TSEnum," a tool I wrote to originally enum terminal
servers on a network, will return the name of every system in the domain,
its type (sever, wrkst), its role (PDC,BDC,etc), and app server roles (SQL,
Exchange, Terminal Services) etc, all with a single command, even with a
null session, and even with restrict anonymous set to 1.
So I just pipe results to a txt file, search for SQL, and bling bling.
Basically, don't waste your time trying to hide them in EM..
hth
t
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Henry David Christopherson: "iis - authenticate thru domain username/password"
- In reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
- Next in thread: Cesar: "Re: Hiding MS SQL databases in Enterprise Manager"
- Reply: Cesar: "Re: Hiding MS SQL databases in Enterprise Manager"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
