meishu
asked on
SQL Server 2000: Are the permisions for the public role important?
Hi Experts,
in regards to the SQL Injection Hack the past weeks, we take a look on the permissions in our SQL Server and seen the permisions for the public role. There are many select or exec permissions given, mostly system tables and some standard SP.
We wonder if these permissions are important. We put them off and our Websites and other Apps seems still working. Are there some permissions we should let open?
Regards,
Christophe
in regards to the SQL Injection Hack the past weeks, we take a look on the permissions in our SQL Server and seen the permisions for the public role. There are many select or exec permissions given, mostly system tables and some standard SP.
We wonder if these permissions are important. We put them off and our Websites and other Apps seems still working. Are there some permissions we should let open?
Regards,
Christophe
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thx for the quick Answer. I was hopping to get more details, but I will handle it that way.
Regarding Sql Injection Attack,
If you do data manipilation only by SPs do this
Create a new user and Revoke permissions to all tables.
Only give the permission to SPs you want to execute.
If you have 2 set of SPs for user and Admin grant only access to User SPs
If the user have permission to execute the SP no need of permission to execute tables.
So If hacker use the table name also that won't affect.
If he pass some dynamic query to SP also that will fail
Thanks
Krishna