?
Solved

SQL Server 2000: Are the permisions for the public role important?

Posted on 2008-06-23
3
Medium Priority
?
360 Views
Last Modified: 2010-04-21
Hi Experts,

in regards to the SQL Injection Hack the past weeks, we take a look on the permissions in our SQL Server and seen the permisions for the public role. There are many select or exec permissions given, mostly system tables and some standard SP.

We wonder if these permissions are important. We put them off and our Websites and other Apps seems still working. Are there some permissions we should let open?

Regards,
Christophe
0
Comment
Question by:meishu
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 60

Accepted Solution

by:
chapmandew earned 750 total points
ID: 21845293
Well...it depends.  These would be permissions given to every user in the db who can connect...so, it is likely reasonably important.  It becomes even more important if you're dealing with sensitive data or have given public permission to run xp_cmdshell.  If you've taken the perms away and all is still well, then keep it that way.  If you have taken them away and start getting problems, investigate the exact permissions needed and give them to an account other than public.
0
 
LVL 5

Expert Comment

by:kumar_jac
ID: 21845846
Hi,
 Regarding Sql Injection Attack,
If you do data manipilation only by SPs do this
Create a new user and Revoke permissions to all tables.
Only give the permission to SPs you want to execute.
If you have 2 set of SPs for user and Admin grant only access to User SPs

If the user have permission to execute the SP no need of permission to execute tables.
So If hacker use the table name also that won't affect.

If he pass some dynamic query to SP also that will fail

Thanks

Krishna
0
 

Author Closing Comment

by:meishu
ID: 31469699
Thx for the quick Answer. I was hopping to get more details, but I will handle it that way.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Load balancing is the method of dividing the total amount of work performed by one computer between two or more computers. Its aim is to get more work done in the same amount of time, ensuring that all the users get served faster.
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
Via a live example, show how to set up a backup for SQL Server using a Maintenance Plan and how to schedule the job into SQL Server Agent.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question