Re: Guest Account
From: CSDunn (cdunn@valverde.edu)
Date: 10/04/02
- Next message: Kimberly L. Tripp: "Re: Link Server"
- Previous message: Peter Saddow [MS]: "Re: ms02-056 warnings on install"
- In reply to: Ken Schaefer: "Re: Guest Account"
- Next in thread: Kimberly L. Tripp: "Re: Guest Account"
- Reply: Kimberly L. Tripp: "Re: Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "CSDunn" <cdunn@valverde.edu> Date: Fri, 4 Oct 2002 12:33:46 -0700
This comes from the book, "Professional SQL Server 2000 Programming", WROX
publishers p.1059:
"The guest account provides a way of having default access. When you have
the guest account active, then several things happen:
- Logins gain gues level access to any database to which they are not
explicitly given access.
- Outside users can login through the guest account to gain access. This
requires that they know the password for guest, but they'll already know the
user exists (although, they probably also know that the sa account exists
too).
Personally, one of the first things I do with my SQL Server is to eliminate
every ounce of access the guest account has. It's a loophole, and it winds
up providing access in a way you don't intuitively thin of."
I work in a K-12 school district and am responsible for the development and
admin duties of our main SQL Server 2000 box (as well as the web site, the
help line, and other stuff). The primary instance of SQL Server that we work
from is both the development box and the production box. The applications
are built for teachers and administrators in the school district, who
interface to the server through Access 2000 Project forms, mostly for data
input. We use Access 2000 Project Reports to allow teachers and
administrators to evaluate the data they input (no OLAP yet).
"Ken Schaefer" <kenRMV@THISadOpenStatic.com> wrote in message
news:#Y3Uxo1aCHA.1712@tkmsftngp11...
> Where did you read about revoking Guest access to all objects? (so we can
> see exactly what advice you were given and comment)
>
> Also, if this is a production box, you should detach Northwind and Pubs.
If
> it's a dev box, then it should probably be behind a firewall if you want
to
> keep sample applications/databases etc
>
> Cheers
> Ken
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "CSDunn" <cdunn@valverde.edu> wrote in message
> news:OFXM8fzaCHA.2104@tkmsftngp11...
> > Hello,
> > I am new to security on SQL Server 2000, and from what I have read, I
> should
> > deny access to all of the objects available to the Guest account in the
> > Master, MSDB, Temp, Northwind, Pubs, and all other User databases.
Denying
> > access to Northwind and Pubs was simple enough, but I read in BOL that I
> am
> > not able to execute sp_revokedbaccess to the Master, MSDB or Temp
> databases.
> > Before I go through and Deny permissions on the countless number of
> objects
> > available to the guest user, I'd like to get a better understanding of
> what
> > kind of security risk the 'Guest' user is for the databases on which I
> > cannot revoke 'Guest' access, and what I should do for these databases.
> >
> > Our organization is moving towards web applications to SQL Server 2000,
so
> I
> > would also be curious to know what security implications this has for
the
> > 'Guest' account.
> >
> > Thanks for your help.
> >
> > CSDunn
> >
> >
> >
>
>
- Next message: Kimberly L. Tripp: "Re: Link Server"
- Previous message: Peter Saddow [MS]: "Re: ms02-056 warnings on install"
- In reply to: Ken Schaefer: "Re: Guest Account"
- Next in thread: Kimberly L. Tripp: "Re: Guest Account"
- Reply: Kimberly L. Tripp: "Re: Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
