Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Other SQL Server Topics / July 2005

Tip: Looking for answers? Try searching our database.

MIcrosft SQLServer Best Practices document on securing SQLServer

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
byrocat - 29 Jul 2005 17:15 GMT
I'm chasing after a documetn that was available on one of the Microsoft
websites that was titled somethign like "MS SQL Server Best Practices"
and detailed a nyumber of best practices about securing the server.

Included in this was revoking public access to the system table
objects.

Can someone post the URL where I can pick this up, or drop me a note on
contacting them for a copy of the document?
Reply to this Message
Simon Hayes - 29 Jul 2005 17:49 GMT
> I'm chasing after a documetn that was available on one of the Microsoft
> websites that was titled somethign like "MS SQL Server Best Practices"
[quoted text clipped - 5 lines]
> Can someone post the URL where I can pick this up, or drop me a note on
> contacting them for a copy of the document?

You can find the Microsoft security docs, including a best practices white
paper, here:

http://www.microsoft.com/sql/techinfo/administration/2000/security/default.mspx

I don't know of any good reason to revoke public permissions on system
tables - it might actually break something if users can't retrieve metadata
for some operations. Books Online states that a REVOKE applied to the public
role applies to all database users, which is probably not desirable in many
cases.

This issue often seems to be raised by IT auditors, probably because it has
somehow became part of an industry-standard audit checklist, but the MS best
practices document says only "do not grant additional permissions to this
role", implying that the existing permissions are fine:

http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec02.mspx

Simon
Reply to this Message
Erland Sommarskog - 29 Jul 2005 23:12 GMT
> I'm chasing after a documetn that was available on one of the Microsoft
> websites that was titled somethign like "MS SQL Server Best Practices"
> and detailed a nyumber of best practices about securing the server.
>
> Included in this was revoking public access to the system table
> objects.

I would not do this. At least not without extensive testing first.

The fact that all metadata is open to anyone is not entirely
satisfyable, but the opposite is not good either.

In SQL 2005 things are different. Here you can only see metadata
for objects that you have access to. Unfortunately, this important
distinction is not possible to make in SQL 2000.

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinfo/productdoc/2000/books.asp

Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.