Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion Groups
DB Engine
SQL ServerMSDESQL Server CE
Services
Analysis (Data Mining)Analysis (OLAP)DTSIntegration ServicesNotification ServicesReporting Services
Programming
CLRConnectivitySQLXML
Other Technologies
ClusteringEnglish QueryFull-Text SearchReplicationService Broker
General
Data WarehousingPerformanceSecuritySetupSQL Server ToolsOther SQL Server Topics
DirectoryUser Groups
Related Topics
MS AccessOther DB ProductsMS Server Products.NET DevelopmentVB DevelopmentJava DevelopmentMore Topics ...
SQL Server Forum / General / Security / July 2008

Tip: Looking for answers? Try searching our database.

DENY ALL on system SPs in a database

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Mike - 23 Jul 2008 19:46 GMT
ALL,

We are currently undergoing a SQL injection attack.  While I have denied
all access to system tables in the databases for the account in
question, I was wondering if there is any risk in denying execute rights
on all the system stored procedures in the database as well for this
account (which is a sql account I created for our web applications to use)

We are currently using MSSQL Server 2000 in the windows environment

Thoughts?

Thank you in advance!

Mike
Reply to this Message
Erland Sommarskog - 23 Jul 2008 23:47 GMT
> We are currently undergoing a SQL injection attack.  While I have denied
> all access to system tables in the databases for the account in
> question, I was wondering if there is any risk in denying execute rights
> on all the system stored procedures in the database as well for this
> account (which is a sql account I created for our web applications to use)
The system stored procedure lives in master. I don't think you can deny a
user access to these with less than you add this user to master first.

But wouldn't be better to disable this user id entirely?

Signature

Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Reply to this Message
Uri Dimant - 24 Jul 2008 07:54 GMT
Mike
Do not let the user access to the master database. Does the account  you
connect to have sysadmin privilege?

> ALL,
>
[quoted text clipped - 11 lines]
>
> Mike
Reply to this Message
Mike - 25 Jul 2008 16:06 GMT
Currently the user does not have rights to the master database and the
account does not have any other rights other than dataread and datawrite.

The Injection utilized the web account to read the sysobjects and
syscolumns tables in one specific database and then utilize the results
to update the data within the tables they found containing text datatypes.

I modified the rights of the web account to explicitly deny all rights
to the system tables and that has worked to keep the attacker out.

Mike

> Mike
> Do not let the user access to the master database. Does the account  you
[quoted text clipped - 15 lines]
>>
>> Mike
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.