RE: Hiding MS SQL databases in Enterprise Manager

• Previous message: Thor: "Re: Hiding MS SQL databases in Enterprise Manager"
• In reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Chris Ess'" <securityfocus@cae.tokimi.net>, <focus-ms@securityfocus.com>
Date: Tue, 18 Nov 2003 21:38:40 -0000

> Hiding MS SQL databases in Enterprise Manager

Actually, It's quite possible to hide the databases. Just deny the guest
user read rights on sysdatabases - works like a charm. Only problem is that
many MS ODBC applications (Access, Excel and several installers I've
encountered) need to enumerate the list of databases, since they have
"friendly" dropdowns where you can specify the databases. If you can in any
way specify a direct ADO connection string (like in an ASP page etc) you can
get around this, though.

While you're at it, you may also want to restrict access to the syslogins
view (to hide the users in EM) and sysobjects and sysservers to hide the
global list of extended stored procedures and linked servers from poking
users.

In MSDB, we've also restricted access to sp_add_dtspackage,
sp_add_jobschedule and sp_enum_dtspackages to keep people from snooping on
DTS packages and scheduled jobs.

In addition to the above, you may want to have a look at the excellent site,
http://www.sqlsecurity.com. The site has good lockdown scripts and links to
useful utilities.

Hope that helps.

Jannie

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Thor: "Re: Hiding MS SQL databases in Enterprise Manager"
• In reply to: Chris Ess: "Hiding MS SQL databases in Enterprise Manager"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]