Re: DENY ALL on system SPs in a database
- From: Mike <mikey@xxxxxxxxxxxxx>
- Date: Fri, 25 Jul 2008 11:06:19 -0400
Currently the user does not have rights to the master database and the account does not have any other rights other than dataread and datawrite.
The Injection utilized the web account to read the sysobjects and syscolumns tables in one specific database and then utilize the results to update the data within the tables they found containing text datatypes.
I modified the rights of the web account to explicitly deny all rights to the system tables and that has worked to keep the attacker out.
Mike
Uri Dimant wrote:
Mike.
Do not let the user access to the master database. Does the account you connect to have sysadmin privilege?
"Mike" <mikey@xxxxxxxxxxxxx> wrote in message news:O%23FHnRP7IHA.3672@xxxxxxxxxxxxxxxxxxxxxxxALL,
We are currently undergoing a SQL injection attack. While I have denied all access to system tables in the databases for the account in question, I was wondering if there is any risk in denying execute rights on all the system stored procedures in the database as well for this account (which is a sql account I created for our web applications to use)
We are currently using MSSQL Server 2000 in the windows environment
Thoughts?
Thank you in advance!
Mike
- References:
- DENY ALL on system SPs in a database
- From: Mike
- Re: DENY ALL on system SPs in a database
- From: Uri Dimant
- DENY ALL on system SPs in a database
- Prev by Date: Re: Encryption
- Next by Date: Re: Encryption
- Previous by thread: Re: DENY ALL on system SPs in a database
- Next by thread: Row level security
- Index(es):
Relevant Pages
|
