Re: Guest Account
From: Kimberly L. Tripp (Kimberly@nospam.sqlskills.com)
Date: 10/04/02
- Next message: CSDunn: "Re: Guest Account"
- Previous message: garikaps: "--hiding stored procedure"
- In reply to: CSDunn: "Re: Guest Account"
- Next in thread: CSDunn: "Re: Guest Account"
- Reply: CSDunn: "Re: Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Kimberly L. Tripp" <Kimberly@nospam.sqlskills.com> Date: Fri, 4 Oct 2002 14:00:34 -0700
The guest accout is a way for people to access a database - NOT the sever.
There is no login that is directly associated with guest... SO - you must be
able to login to the server FIRST before the guest USER account does you any
good.
As for the guest account in Northwind/Pubs - yes, the guest account has
access. In many cases it is read/write however the pubs and northwind
databases are sample databases - for learning. If it's a production box you
can go ahead and completely drop them. You could detach them as suggested
but you don't really need to - you can always get them back by checking out
the BOL "northwind sample database" and "pubs sample database" topics.
As for the guest account in master - yes, the guest account as access and
it's VERY limited. It basically is what gives users the ability to execute
stored procedures such as sp_help, etc. I would NOT eliminate the guest
account in master. BUT I would make sure that it doesn't have any rights
that seem out of the ordinary. Hard to know I realize but all of the rights
are for sps and system tables.
As for the guest account in user databases - NO, it is RARE that I would
allow the guest account within a user database. This will allow anyone with
LOGIN access to the server access to your database. Generally, I make sure
that every Login has a specific User account within the database(s) that
they need access.
For more info on security check out the security site on microsoft.com/sql.
There are quite a few helpful whitepapers, etc.
http://www.microsoft.com/sql/techinfo/administration/2000/security.asp
HTH,
kt
Kimberly L. Tripp
********************
Please do not send mail to me directly - reply on the newsgroup.
Please include legible and tested code samples (and ddl if possible!). This
makes it easier to test and answer your questions. Thanks!
"CSDunn" <cdunn@valverde.edu> wrote in message
news:e5tCTz9aCHA.640@tkmsftngp11...
> This comes from the book, "Professional SQL Server 2000 Programming", WROX
> publishers p.1059:
>
> "The guest account provides a way of having default access. When you have
> the guest account active, then several things happen:
>
> - Logins gain gues level access to any database to which they are not
> explicitly given access.
> - Outside users can login through the guest account to gain access. This
> requires that they know the password for guest, but they'll already know
the
> user exists (although, they probably also know that the sa account exists
> too).
>
> Personally, one of the first things I do with my SQL Server is to
eliminate
> every ounce of access the guest account has. It's a loophole, and it winds
> up providing access in a way you don't intuitively thin of."
>
> I work in a K-12 school district and am responsible for the development
and
> admin duties of our main SQL Server 2000 box (as well as the web site, the
> help line, and other stuff). The primary instance of SQL Server that we
work
> from is both the development box and the production box. The applications
> are built for teachers and administrators in the school district, who
> interface to the server through Access 2000 Project forms, mostly for data
> input. We use Access 2000 Project Reports to allow teachers and
> administrators to evaluate the data they input (no OLAP yet).
>
>
> "Ken Schaefer" <kenRMV@THISadOpenStatic.com> wrote in message
> news:#Y3Uxo1aCHA.1712@tkmsftngp11...
> > Where did you read about revoking Guest access to all objects? (so we
can
> > see exactly what advice you were given and comment)
> >
> > Also, if this is a production box, you should detach Northwind and Pubs.
> If
> > it's a dev box, then it should probably be behind a firewall if you want
> to
> > keep sample applications/databases etc
> >
> > Cheers
> > Ken
> >
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > "CSDunn" <cdunn@valverde.edu> wrote in message
> > news:OFXM8fzaCHA.2104@tkmsftngp11...
> > > Hello,
> > > I am new to security on SQL Server 2000, and from what I have read, I
> > should
> > > deny access to all of the objects available to the Guest account in
the
> > > Master, MSDB, Temp, Northwind, Pubs, and all other User databases.
> Denying
> > > access to Northwind and Pubs was simple enough, but I read in BOL that
I
> > am
> > > not able to execute sp_revokedbaccess to the Master, MSDB or Temp
> > databases.
> > > Before I go through and Deny permissions on the countless number of
> > objects
> > > available to the guest user, I'd like to get a better understanding of
> > what
> > > kind of security risk the 'Guest' user is for the databases on which I
> > > cannot revoke 'Guest' access, and what I should do for these
databases.
> > >
> > > Our organization is moving towards web applications to SQL Server
2000,
> so
> > I
> > > would also be curious to know what security implications this has for
> the
> > > 'Guest' account.
> > >
> > > Thanks for your help.
> > >
> > > CSDunn
> > >
> > >
> > >
> >
> >
>
>
- Next message: CSDunn: "Re: Guest Account"
- Previous message: garikaps: "--hiding stored procedure"
- In reply to: CSDunn: "Re: Guest Account"
- Next in thread: CSDunn: "Re: Guest Account"
- Reply: CSDunn: "Re: Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
