Database security (non-existent?)

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • Annonymous Coward
    #1

    Database security (non-existent?)

    I recently downloaded and install SQLServer Express. I am considering
    using it as the backend db for my app (i.e. moving from the current
    PostgreSQL).

    I run sqlcmd without specifying any username or pwd, and I was suprised
    that I had access to the 'server', and could create and drop databses
    (admittedly I dropped only the dbs I created). This appears to be a
    *HUGE* security flaw - unless (I hope), I have missed something.

    Also, does anyone know where I can get help at the command line, so I
    can interrogate the server (e.g. viewing list of available dbs, tables
    in a db, db/view schema etc).

    Last but not the least, is there a frontend for SSE?
    Tags: None
    • Plamen Ratchev
      #2
      Re: Database security (non-existent?)

      "Annonymous Coward" <me@home.comwro te in message
      news:j46dna4uNN 2e0f_VnZ2dnUVZ8 sjinZ2d@bt.com. ..
      I run sqlcmd without specifying any username or pwd, and I was suprised
      that I had access to the 'server', and could create and drop databses
      (admittedly I dropped only the dbs I created). This appears to be a *HUGE*
      security flaw - unless (I hope), I have missed something.
      >
      This is not a security flaw. When you run sqlcmd without providing the
      user/password via the -U/-P parameters, sqlcmd by default uses a trusted
      connection with your Windows account (which is the -E option).

      See more details on all options here:
      Using the sqlcmd Utility (SQL Server Express)
      http://msdn.microsoft.com/en-us/library/ms165702.aspx

      Also, does anyone know where I can get help at the command line, so I can
      interrogate the server (e.g. viewing list of available dbs, tables in a
      db, db/view schema etc).
      >
      SQL Server Books Online is the complete documentation for SQL Server.
      http://technet.microsoft.com/en-us/sqlserver/bb428874.aspx


      Here is direct link to the topic on how to query the system catalog:
      Querying the SQL Server System Catalog FAQ - SQL Server
      http://msdn.microsoft.com/en-us/library/ms345522.aspx
      Querying the SQL Server System Catalog FAQ


      And the system catalog map download:
      Error 404 - Not Found
      http://www.microsoft.com/downloads/details.aspx?FamilyID=2ec9e842-40be-4321-9b56-92fd3860fb32&displaylang=en


      Last but not the least, is there a frontend for SSE?
      SQL Server Management Studio Express:
      Error 404 - Not Found
      http://www.microsoft.com/downloads/details.aspx?FamilyID=c243a5ae-4bd1-4e3d-94b8-5a0f62bf7796&displaylang=en



      HTH,

      Plamen Ratchev
      Home - SQLStudio.com
      http://www.SQLStudio.com


        Comment

        • Greg D. Moore \(Strider\)
          #3
          Re: Database security (non-existent?)

          "Annonymous Coward" <me@home.comwro te in message
          news:j46dna4uNN 2e0f_VnZ2dnUVZ8 sjinZ2d@bt.com. ..
          >I recently downloaded and install SQLServer Express. I am considering using
          >it as the backend db for my app (i.e. moving from the current PostgreSQL).
          >
          I run sqlcmd without specifying any username or pwd, and I was suprised
          that I had access to the 'server', and could create and drop databses
          (admittedly I dropped only the dbs I created). This appears to be a *HUGE*
          security flaw - unless (I hope), I have missed something.
          >
          Umm, not really. This is by design. Especially if you have any sorts of
          admin capabilities on your box.

          BTW, based on this and your other post, I would highly recommend you pick up
          a book (check out Microsoft Press) on SQL Server 2005 security. There's far
          to much to learn than you can adequately learn in a newsgroup like this.

          Simply put, done correctly SQL Server 2005 is pretty much as secure as
          anything else out ther.e

          Also, does anyone know where I can get help at the command line, so I can
          interrogate the server (e.g. viewing list of available dbs, tables in a
          db, db/view schema etc).
          >
          Last but not the least, is there a frontend for SSE?
          Yes. I don't have the URL off-hand thouhg.


          --
          Greg Moore
          SQL Server DBA Consulting Remote and Onsite available!
          Email: sql (at) greenms.com http://www.greenms.com/sqlserver.html


            Comment

            • Arved Sandstrom
              #4
              Re: Database security (non-existent?)

              "Greg D. Moore (Strider)" <mooregr_delete th1s@greenms.co mwrote in message
              news:SIednfQ_H8 TjoPXVnZ2dnUVZ_ qHinZ2d@earthli nk.com...
              "Annonymous Coward" <me@home.comwro te in message
              news:j46dna4uNN 2e0f_VnZ2dnUVZ8 sjinZ2d@bt.com. ..
              >>I recently downloaded and install SQLServer Express. I am considering
              >>using it as the backend db for my app (i.e. moving from the current
              >>PostgreSQL) .
              >>
              >I run sqlcmd without specifying any username or pwd, and I was suprised
              >that I had access to the 'server', and could create and drop databses
              >(admittedly I dropped only the dbs I created). This appears to be a
              >*HUGE* security flaw - unless (I hope), I have missed something.
              >>
              >
              Umm, not really. This is by design. Especially if you have any sorts of
              admin capabilities on your box.
              >
              BTW, based on this and your other post, I would highly recommend you pick
              up a book (check out Microsoft Press) on SQL Server 2005 security.
              There's far to much to learn than you can adequately learn in a newsgroup
              like this.
              >
              Simply put, done correctly SQL Server 2005 is pretty much as secure as
              anything else out ther.e
              [ SNIP ]

              I would also recommend a book. However, reading articles like
              http://technet.microsoft.com/en-us/l.../ms345149.aspx is certainly a good
              start.

              AHS


                Comment

                Previous template Next
                Working...