Re: Guest Account
From: CSDunn (cdunn@valverde.edu)
Date: 10/04/02
- Next message: Ricardo Madariaga: "Re: db_owner issue. user Rol assign."
- Previous message: Kimberly L. Tripp: "Re: Guest Account"
- In reply to: Kimberly L. Tripp: "Re: Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "CSDunn" <cdunn@valverde.edu> Date: Fri, 4 Oct 2002 14:39:39 -0700
Thanks again, this is very helpful. CSDunn
"Kimberly L. Tripp" <Kimberly@nospam.sqlskills.com> wrote in message
news:OrFZoh#aCHA.2464@tkmsftngp11...
> The guest accout is a way for people to access a database - NOT the sever.
> There is no login that is directly associated with guest... SO - you must
be
> able to login to the server FIRST before the guest USER account does you
any
> good.
>
> As for the guest account in Northwind/Pubs - yes, the guest account has
> access. In many cases it is read/write however the pubs and northwind
> databases are sample databases - for learning. If it's a production box
you
> can go ahead and completely drop them. You could detach them as suggested
> but you don't really need to - you can always get them back by checking
out
> the BOL "northwind sample database" and "pubs sample database" topics.
>
> As for the guest account in master - yes, the guest account as access and
> it's VERY limited. It basically is what gives users the ability to execute
> stored procedures such as sp_help, etc. I would NOT eliminate the guest
> account in master. BUT I would make sure that it doesn't have any rights
> that seem out of the ordinary. Hard to know I realize but all of the
rights
> are for sps and system tables.
>
> As for the guest account in user databases - NO, it is RARE that I would
> allow the guest account within a user database. This will allow anyone
with
> LOGIN access to the server access to your database. Generally, I make sure
> that every Login has a specific User account within the database(s) that
> they need access.
>
> For more info on security check out the security site on
microsoft.com/sql.
> There are quite a few helpful whitepapers, etc.
> http://www.microsoft.com/sql/techinfo/administration/2000/security.asp
>
> HTH,
> kt
>
> Kimberly L. Tripp
> ********************
> Please do not send mail to me directly - reply on the newsgroup.
> Please include legible and tested code samples (and ddl if possible!).
This
> makes it easier to test and answer your questions. Thanks!
>
> "CSDunn" <cdunn@valverde.edu> wrote in message
> news:e5tCTz9aCHA.640@tkmsftngp11...
> > This comes from the book, "Professional SQL Server 2000 Programming",
WROX
> > publishers p.1059:
> >
> > "The guest account provides a way of having default access. When you
have
> > the guest account active, then several things happen:
> >
> > - Logins gain gues level access to any database to which they are not
> > explicitly given access.
> > - Outside users can login through the guest account to gain access.
This
> > requires that they know the password for guest, but they'll already know
> the
> > user exists (although, they probably also know that the sa account
exists
> > too).
> >
> > Personally, one of the first things I do with my SQL Server is to
> eliminate
> > every ounce of access the guest account has. It's a loophole, and it
winds
> > up providing access in a way you don't intuitively thin of."
> >
> > I work in a K-12 school district and am responsible for the development
> and
> > admin duties of our main SQL Server 2000 box (as well as the web site,
the
> > help line, and other stuff). The primary instance of SQL Server that we
> work
> > from is both the development box and the production box. The
applications
> > are built for teachers and administrators in the school district, who
> > interface to the server through Access 2000 Project forms, mostly for
data
> > input. We use Access 2000 Project Reports to allow teachers and
> > administrators to evaluate the data they input (no OLAP yet).
> >
> >
> > "Ken Schaefer" <kenRMV@THISadOpenStatic.com> wrote in message
> > news:#Y3Uxo1aCHA.1712@tkmsftngp11...
> > > Where did you read about revoking Guest access to all objects? (so we
> can
> > > see exactly what advice you were given and comment)
> > >
> > > Also, if this is a production box, you should detach Northwind and
Pubs.
> > If
> > > it's a dev box, then it should probably be behind a firewall if you
want
> > to
> > > keep sample applications/databases etc
> > >
> > > Cheers
> > > Ken
> > >
> > > --
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > > "CSDunn" <cdunn@valverde.edu> wrote in message
> > > news:OFXM8fzaCHA.2104@tkmsftngp11...
> > > > Hello,
> > > > I am new to security on SQL Server 2000, and from what I have read,
I
> > > should
> > > > deny access to all of the objects available to the Guest account in
> the
> > > > Master, MSDB, Temp, Northwind, Pubs, and all other User databases.
> > Denying
> > > > access to Northwind and Pubs was simple enough, but I read in BOL
that
> I
> > > am
> > > > not able to execute sp_revokedbaccess to the Master, MSDB or Temp
> > > databases.
> > > > Before I go through and Deny permissions on the countless number of
> > > objects
> > > > available to the guest user, I'd like to get a better understanding
of
> > > what
> > > > kind of security risk the 'Guest' user is for the databases on which
I
> > > > cannot revoke 'Guest' access, and what I should do for these
> databases.
> > > >
> > > > Our organization is moving towards web applications to SQL Server
> 2000,
> > so
> > > I
> > > > would also be curious to know what security implications this has
for
> > the
> > > > 'Guest' account.
> > > >
> > > > Thanks for your help.
> > > >
> > > > CSDunn
> > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Ricardo Madariaga: "Re: db_owner issue. user Rol assign."
- Previous message: Kimberly L. Tripp: "Re: Guest Account"
- In reply to: Kimberly L. Tripp: "Re: Guest Account"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
