tags:

views:

250

answers:

1
Q: 

Sql 2008 "Public Not Granted Server Permission" policy

I recently started looking into the new Policy Management in SQL Server 2008 and when I checked for compliance with the "Public Not Granted Server Permission" policy, my server failed the check. The reason was, and I am pretty sure this is the default, public has TCP Endpoint permission so that users can connect to the server. If I were to remove this, I would have to assign users individually the right to connect.

This seems silly to me. I cannot figure out why Microsoft would recommend changing this. I have no guest account, so only specified users can access the server. The server is behind a firewall, and only one subnet in the company can even access it. Does anyone have any insight on this?

A: 

Security best practices start with locking EVERYTHING down, then only opening up pieces as necessary to the people that actually need to get to it.

By allowing the "public" access to even connect, regardless of the fact that they don't have rights to do anything, opens the door just a crack. Sometimes, that's enough to exploit a buffer overflow or another type of attack.

UPDATE

A Login and a User are two different things. A login is server level, a User is database specific. Every User should have a corresponding login; but not every login will have a database user account.

Let's say you are using Active Directory integrated security; and you've assigned a particular AD group to have access to the server. Now, only some of those within the group may actually have access to certain databases. Those are the people you want to allow access to connect. Whereas the other members of the group don't have regular database user accounts.

By definition this is a problem as some of the group members can connect and list databases on the server even though they don't have access to any of those databases. That's the "crack" in the door I'm talking about.

If you can stop those people from even being able to connect then you've gone a long way towards securing your server.

There are other server level permissions that the Public role grants to logins. If possible, you should turn it off just like you would a guest account.

Chris Lively  2009-04-01 20:52:21
That makes no sense to me. Correct me if I'm wrong, but to be a member of the public role, you must have a login. A login serves no purpose if it cannot connect to the server. If public did not have the connect permission, I would have to give it to every login anyway.
jhale  2009-04-02 12:33:29
In my case, I have no logins that do not have a db user account. Also, the only permission granted to the public role on my server was TCP endpoint rights. I'm thinking this recommendation just doesn't apply to my situation. You did come up with a scenario I hadn't thought of though.
jhale  2009-04-02 18:36:53

related questions

Sql to query a dbs scheme
Transform Columns into Rows
SQL Client for Mac OS X that works with MS SQL Server
How do you get leading wildcard full-text searches to work in SQL Server?
SQL Server 2000: Is there a way to tell when a record was last modified?
What's the BEST way to remove the time portion of a datetime value (SQL Server)
I need to know how much disk space a table is using in SQL Server
What's the best way to determine if a temporary table exists in SQL Server?
Appropriate pagefile size for SQL Server
Have you ever encountered a query that SQL Server could not execute because it referenced too many tables?
ASP.NET MVC "CRUD" Database Sample
How do I unit test persistence?
Best Book for a new Database Developer
Can I logically reorder columns in a table?
Best way to copy a database in SQL Server 2005/8?
Is Windows Server 2008 "Server Core" appropriate for a SQL Server instance?
Why doesn't SQL Full Text Indexing return results for words containing #?
Client collation and SQL Server 2005
Editing database records by multiple users
Deploying SQL Server Databases from Test to Live
SQL Server 2005 implementation of MySQL REPLACE INTO?
Upgrading SQL Server 6.5
How do I version my MS SQL database in SVN?
How to export data from SQL Server 2005 to MySQL
Check for changes to a SQL table?