Re: Any valid login can access Enterprise Manager



Thks Dan for all your help!

"Dan Guzman" wrote:

By default, SQL 2000 users can read catalog meta data in those databases
they have permissions to access. It's possible to revoke public permissions
from some of the catalog objects but this can break data access API's so
proceed at your own risk. SQL 2005 provides more control over meta data
access.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Oddie" <Oddie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5D081158-8F2B-428B-ABE2-32892258C3C0@xxxxxxxxxxxxxxxx
Thks Dan - it sure works - but still no way of preventing a valid SQL
Login
to access other objects on EM or seeing them using other tools (such as
Visual Studio).

Thks again!

"Dan Guzman" wrote:

2. Though cannot change any objects, but can
- 1. view all system objects (logins, DTS etc)

You can disable the msdb guest user (EXEC msdb..sp_dropuser 'guest') to
prevent access to msdb. This will prevent viewing DTS packages. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;282463.

You can 'REVOKE SELECT FROM syslogins' to prevent non privileged users
from
enumerating logins via EM.

3. STOP SQL Server Agent
4. RESTART SQL SERVER!!!!

The ability to stop and start services is controlled through Windows
permissions, not SQL Server security. If the account is a member of the
Windows 'Administrators' or 'Power Users' groups, then the user can stop
and
start services using any tool or command. EM will not allow
non-privileged
users to stop/start services.

--
Hope this helps.

Dan Guzman
SQL Server MVP

"Oddie" <Oddie@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:2DB045CF-4B2F-4493-BEB5-FA684D5800A1@xxxxxxxxxxxxxxxx
Hi.

When creating a SQL Server2000 login (NT Authen) with read-only rights
to
user tables in a user database, this very same login can:
1. Login into EM
2. Though cannot change any objects, but can
- 1. view all system objects (logins, DTS etc)
3. STOP SQL Server Agent
4. RESTART SQL SERVER!!!!

This all seem to be traced back to the fact every login is a member of
the
PUBLIC role, and the PUBLIC role allow u to do all of the above!!!

Can anyone tell me how to:
1. Prevent user (not DBA, DBO's etc) login into EM???
2. Prevent user login into QA???

Cheers!






.



Relevant Pages

  • Re: Login with no Fixed Server Role and DB Role can stop SQL Agent Service?
    ... a Window 2000 Login with Domain User default permissions, ... > actually answered the question about the permissions the user has re: ... Forget about SQL Server for the moment. ... >> Enterprise Manager, but he is still able to stop the SQL Agent ...
    (microsoft.public.sqlserver.security)
  • Re: SQL Server Security: NT Groups
    ... permissions from their group membership. ... So if I'm a member of GroupA and GroupA is granted a login ... SQL Server and access database B. ... membership, role membership with deny taking precedence. ...
    (microsoft.public.sqlserver.security)
  • Permissions!
    ... permissions to database objects are concerned. ... I have a SQL Server 7.0 database table which has 6 columns. ... REVOKE or DENY permissions to these 3 users? ... Please note that I login to my Windows 2000 Professional machine using ...
    (microsoft.public.sqlserver.security)
  • Re: SQL Server Security: NT Groups
    ... >permissions from their group membership. ... >So if I'm a member of GroupA and GroupA is granted a login ... >>I'm new to SQL Server security and I don't know if it is ... >>then just add the 2 logins to the SQL Server Roles. ...
    (microsoft.public.sqlserver.security)
  • Re: Security question ..
    ... > If you use NT authentication, a user's permissions to a database are ... Your assertion that a user's permissions are independent of the application ... Even using Access and "exploring" will require an ODBC login to SQL Server. ...
    (microsoft.public.sqlserver.server)