Re: Any security whole accessing sql database with anonymous account
From: Karl Levinson [x y] mvp (levinson_k@excite.com)
Date: 02/04/03
- Next message: Karl Levinson [x y] mvp: "Re: Help please my server has been hacked"
- Previous message: Karl Levinson [x y] mvp: "Re: Help please my server has been hacked"
- In reply to: shyam: "Any security whole accessing sql database with anonymous account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] mvp" <levinson_k@excite.com> Date: Tue, 4 Feb 2003 15:19:04 -0500
Unless you are a security expert, I might recommend leaving IIS running as
the default IUSR account. This account has been hardened to some extent,
more so than the new John account has probably been hardened.
IIS and Windows should also be hardened:
http://securityadmin.info/faq.htm#hardened
http://securityadmin.info
After hardening the server, a good number of the security flaws remaining
will be within the code you use to access the database... such as SQL
injection and writing validation scripts on any input fields to avoid
letting people abuse your code. Information on how to do this is also at
the links above, such as www.cert.org/tech_tips and www.owasp.org
"shyam" <excelsmart1@yahoo.com> wrote in message
news:egj45XEzCHA.1636@TK2MSFTNGP10...
> iam descriping my scenario below, please tell me what
> are the exactly security holes and the problem i will face in this
scenario.
> if security hole is there means, what are possible ways for the hackers to
> break down my sql server database. i need to develop a website. if u guide
> me properly means, i will be very much thankful to u.
>
> I will create a windows nt user account with no previliges called JOHN
> (simply i will add only Users Group).
> then in IIS to my website i will configuree User Name JOHN as anonymous
> user.
> and in MS SQL Server i will create windows NT account of JOHN and i will
> give read, write persmission on NOrthwind database.
>
> with the above scenario, iam running my website also, the end-users also
> accesing website without any problems, the end-user is not entering any
> WindowNT username and password (bcoz of anonymous account), they are doing
> all adding, modify, delete operations on NORTHWIND database also.
>
> now question and problem is:
> what are all the security breaches for this scenario ?
> how is it possible for hackers it is possible to break my sql
server(hack).
>
> my IIS Server having public ip address and database server is in private
ip
> address. and i created a anonymous user account in both the machines with
> same password. is there any possible to access my sql server either my
> domain users or public internet users. please give some detail information
> about this.
>
> with regards
> MS
>
>
>
- Next message: Karl Levinson [x y] mvp: "Re: Help please my server has been hacked"
- Previous message: Karl Levinson [x y] mvp: "Re: Help please my server has been hacked"
- In reply to: shyam: "Any security whole accessing sql database with anonymous account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
