Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««1234»»»

Why Use the Principle of Least Privilege? Expand / Collapse
Author
Message
Posted Tuesday, April 12, 2011 10:50 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Wednesday, April 13, 2016 12:23 AM
Points: 20,643, Visits: 9,671
I love MS & all since I'm earning my living beause of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.

Granted this is the only db they have acess to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!



& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.
Post #1092247
Posted Tuesday, April 12, 2011 11:41 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Saturday, October 24, 2015 2:31 AM
Points: 3,158, Visits: 11,771
There are fairly simple steps that you can use to eliminate the vast majority of SQL Injection attacks:

Always Use Parameters. Even if you don't use Stored Procedures.
http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx




Post #1092290
Posted Wednesday, April 13, 2011 9:30 AM


SSC-Addicted

SSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-AddictedSSC-Addicted

Group: General Forum Members
Last Login: Wednesday, May 7, 2014 7:16 AM
Points: 489, Visits: 1,265
K. Brian Kelley (4/12/2011)
In the BBS days...


I remember those days! I ran a very small BBB back in the 80's. Those were the days.

Anyway, what you describe is correct. The concept of whitelist vs. Blacklist. Whitelist being more secure and ensuring the characters or patters match an exact allowable list only, vs. a blacklist which is less secure and looks for characters not allowed. Blacklist being less secure because hackers are always adapting and changing and even if you blacklisted all of the bad chars/patterns today, it may be vulnerable tomorrow via a new yet-to-be-invented construct.

On the coding side, I advocate whitelist, and on an exception, attempt to blacklist sanitize the input (replace), then run it through the whitelist check one last time. This tends to prevent the really bad stuff, even if not invented yet (usually), while not doing a smack down on the users ETL process, etc.

Anyway, you made some nice points.

Jim


Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph
Post #1092919
Posted Friday, April 15, 2011 10:34 AM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Friday, July 22, 2016 4:46 PM
Points: 19,907, Visits: 18,123
I think this is a great reminder that the effort to prevent injection is a continual process.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Post #1094281
Posted Friday, April 15, 2011 10:45 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, July 22, 2016 9:46 AM
Points: 5,218, Visits: 4,380
Ninja's_RGR'us (4/12/2011)
I love MS & all since I'm earning my living beause of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.

Granted this is the only db they have acess to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!



& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.

I reported this as a P0 to their test lead.

Thank you for bringing this up.
Post #1094290
Posted Friday, April 15, 2011 10:57 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Wednesday, April 13, 2016 12:23 AM
Points: 20,643, Visits: 9,671
Revenant (4/15/2011)
Ninja's_RGR'us (4/12/2011)
I love MS & all since I'm earning my living because of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.

Granted this is the only db they have access to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!



& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.

I reported this as a P0 to their test lead.

Thank you for bringing this up.



Thanks a million. Any way I can provide more feedback if / when I find bugs?


The other issue with this is that we have no real way to do implementations.

IE : I put db is single user mode to kick every one out. Backup, restore, checkdb. Put db in restricted user mode so our team can kick in (at which point I didn't know that every user now had access). Tell our consultant to start the upgrade process. In the middle of it we realize we have incorrect data. We trace it to users having logged back it and done transactions. We had to use restricted users because there was 3-4 of us in there to run the tests as fast as possible. We now had to constantly monitor the connections and keep killing them for 2 hours until we were done.


Now the only safe way we have is to pay ultra-overtime for the consultants which they don't want to do anyways or run in single user and shut down the application for 3-6 hours... which means 300+ <wo>man hours lost.


The correct way would be to have users in data reader_writer group and have a way to kick 'em of of the system when we need to.

I don't mind giving dbo for the consultants since they actually need it most days. But even that could be improved.

TIA.
Post #1094297
Posted Friday, April 15, 2011 11:21 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, July 22, 2016 9:46 AM
Points: 5,218, Visits: 4,380
Ninja's_RGR'us (4/15/2011)

Thanks a million. Any way I can provide more feedback if / when I find bugs? . . .

I pinged them and asked them for permission to give you their e-mail. As they are in Hyderabad, I would expect their reply by late Sunday.
Post #1094308
Posted Monday, April 18, 2011 12:44 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Friday, July 22, 2016 9:46 AM
Points: 5,218, Visits: 4,380
MS contact info sent via private mail.
Post #1095227
Posted Monday, December 28, 2015 7:35 AM
SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Thursday, July 21, 2016 5:37 AM
Points: 7,886, Visits: 763
Thanks for the reminder about this.
Post #1748083
Posted Monday, December 28, 2015 7:50 AM
Mr or Mrs. 500

Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500Mr or Mrs. 500

Group: General Forum Members
Last Login: Friday, July 22, 2016 11:55 AM
Points: 506, Visits: 1,025
I think I'm going to have to disagree with Steve about SQL injection attacks not being T/SQL's fault.

I mean, T/SQL allows SQL code to have concatenation of statements seperated by a semi-colon, no white space rules *at all*, and a number of other syntactic sins that are simply unforgivable in a modern language.

So *of course* T/SQL is going to be vulnerable to SQL injection, it's pretty much a given.

The whole "only use stored procedures and always sanitize parameters" is a direct consequence of T/SQL syntax idiocy. It's a direct violation of separation of code and data.

If you're expecting data in your parameters there's NO EXCUSE for getting code. None. It all comes back to T/SQL (and SQL in general) mixing of code and data.

And that's the failing of the language at a design level. It goes beyond principle of least privilege, destroying the possibility of even having the very concept!
Post #1748093
« Prev Topic | Next Topic »

Add to briefcase ««1234»»»

Permissions Expand / Collapse