Solved

GUEST account risks

Posted on 2014-03-20
4
444 Views
Last Modified: 2014-03-25
In relation to the guest account on SQL Server, what are the risks in enabling this on user databases? If you already trust everyone with a SQL level logon whereby the databases are housed?

And secondly, do you access the database via the GUEST account, or your actual SQL login. For example if auditing was enabled, and a user acessed a database via the guest account, would any access/amendments made to the database going to be in the audit logs under the GUEST account. I wasnt sure if this is the main risk, i.e. accountability?
0
Comment
Question by:pma111
  • 2
4 Comments
 
LVL 25

Accepted Solution

by:
Tony Giangreco earned 250 total points
Comment Utility
The first question I would ask is how secure are the user and administrative passwords? If you are letting users assign their own passwords, you don't know how complex they are. I've seen users try to use their name, company name, Company address and other easy phrases to guess.

I manage client networks and always provide them with their pw. I set it so it does not expire and they cannot change it. This allows you to create a secure password for each account and have confidence that the pw is complex and secure.

After that has been addresses, I'd evaluate the share permissions you are using so it's not open to everybody. Make it authenticated users for something secure like that.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Im talking guest at sql level not windows passwords are strong
0
 
LVL 13

Assisted Solution

by:AielloJ
AielloJ earned 250 total points
Comment Utility
pma111:

Guest accounts anywhere are security risks.  Let's examine the premise: You'd be allowing multiple accesses from users/parties that are not known or able to be identified with a username.

Aside from the technical issues, if the data is confidential in nature (medical, finance, accounting, etc) best practices strongly recommend against it, and auditors will write you up for it.

Best regards,

AielloJ
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thats kind of what i was asking though, will actions be logged as the guest user or the sql server level login using the guest account
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

In this article I will describe the Detach & Attach method as one possible migration process and I will add the extra tasks needed for an upgrade when and where is applied so it will cover all.
How to leverage one TLS certificate to encrypt Microsoft SQL traffic and Remote Desktop Services, versus creating multiple tickets for the same server.
Using examples as well as descriptions, and references to Books Online, show the documentation available for datatypes, explain the available data types and show how data can be passed into and out of variables.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now