RE: Hiding MS SQL databases in Enterprise Manager
From: Erik Birkholz (erik_at_foundstone.com)
Date: 12/02/03
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #165"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 1 Dec 2003 17:37:16 -0800 To: "Cesar" <cesarc56@yahoo.com>, <focus-ms@securityfocus.com>
Caesar et al,
There is also a free chapter from Special Ops written by Chip Andrews
available at
http://www.specialopssecurity.com/SpecialOpsCh12.pdf
Also, Chip's site www.SqlSecurity.com has a ton of info for you.
Enjoy,
Erik
-----Original Message-----
From: Cesar [mailto:cesarc56@yahoo.com]
Sent: Friday, November 21, 2003 6:02 AM
To: focus-ms@securityfocus.com
Subject: Re: Hiding MS SQL databases in Enterprise Manager
Well, Thor has given the more sense response, you
should ignore many of the previous posts. I have been
hacking SQL Server for long time and let me tell you,
you don't have to worry about users using EM,Query
Analyzer, ASP pages, whatever (users can use even MS
Word) to access your SQL Server, you have to worry to
lock down your Server, to have a security policy,
etc.. There are some available guides to secure SQL
Server, this is one i found quickly :
http://tinyurl.com/j44x
PS: on one of the previous post i saw a recomendation
to remove public permissions from sysdatabases, etc.
If i were you i wouldn't do that because it could
cause not desired side effects, also i don't think
Microsoft will support you if you have problems. It's
wrong to assume that if you remove permission from
sysdatabases some users wont be able to enumerate
dabases, IIRC database names are stored sometimes in
other places such as tables in msdb database,
replication database, etc.
Cesar.
--- Thor <thor@hammerofgod.com> wrote:
> > When I create a database in the Microsoft SQL
> Server, it shows up under
> > 'Databases' in Enterprise Manager for any user who
> logs in, whether or not
> > they have permissions to access it. Since this
> could potentially be a
> > security issue, I would like to set it up so that
> users can only see
> > databases for which they've been assigned a role.
>
> I know you've received many comments on this- some
> that are wildly
> inaccurate- but let's ignore those for now...
>
> Your security model should start at the
> authentication infrastructure for
> your SQL servers, not at preventing a list of them.
> Spend your time
> properly configuring and securing your servers, not
> trying to obfuscate
> their existence. Most are probably all at 1433,
> which would be easily
> scanned for. The "hide" option just moves it to
> known port, and a 2 byte
> query to the instance mapper on UDP 1434 tells all
> anyway.
>
> Besides, when the servers come on line, they
> register themselves with the
> master browser. "TSEnum," a tool I wrote to
> originally enum terminal
> servers on a network, will return the name of every
> system in the domain,
> its type (sever, wrkst), its role (PDC,BDC,etc), and
> app server roles (SQL,
> Exchange, Terminal Services) etc, all with a single
> command, even with a
> null session, and even with restrict anonymous set
> to 1.
>
> So I just pipe results to a txt file, search for
> SQL, and bling bling.
> Basically, don't waste your time trying to hide them
> in EM..
>
> hth
>
> t
>
>
>
>
------------------------------------------------------------------------
--- > ------------------------------------------------------------------------ --- > __________________________________ Do you Yahoo!? Free Pop-Up Blocker - Get it now http://companion.yahoo.com/ ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #165"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
