Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

Why Use the Principle of Least Privilege? Expand / Collapse
Author
Message
Posted Tuesday, April 12, 2011 10:50 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Thursday, January 16, 2014 12:03 PM
Points: 21,376, Visits: 9,594
I love MS & all since I'm earning my living beause of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.

Granted this is the only db they have acess to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!



& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.
Post #1092247
Posted Tuesday, April 12, 2011 11:41 AM
Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 4:16 PM
Points: 3,081, Visits: 11,235
There are fairly simple steps that you can use to eliminate the vast majority of SQL Injection attacks:

Always Use Parameters. Even if you don't use Stored Procedures.
http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx




Post #1092290
Posted Wednesday, April 13, 2011 9:30 AM


SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: 2 days ago @ 8:27 AM
Points: 647, Visits: 1,262
K. Brian Kelley (4/12/2011)
In the BBS days...


I remember those days! I ran a very small BBB back in the 80's. Those were the days.

Anyway, what you describe is correct. The concept of whitelist vs. Blacklist. Whitelist being more secure and ensuring the characters or patters match an exact allowable list only, vs. a blacklist which is less secure and looks for characters not allowed. Blacklist being less secure because hackers are always adapting and changing and even if you blacklisted all of the bad chars/patterns today, it may be vulnerable tomorrow via a new yet-to-be-invented construct.

On the coding side, I advocate whitelist, and on an exception, attempt to blacklist sanitize the input (replace), then run it through the whitelist check one last time. This tends to prevent the really bad stuff, even if not invented yet (usually), while not doing a smack down on the users ETL process, etc.

Anyway, you made some nice points.

Jim


Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph
Post #1092919
Posted Friday, April 15, 2011 10:34 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 4:39 PM
Points: 20,485, Visits: 14,143
I think this is a great reminder that the effort to prevent injection is a continual process.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1094281
Posted Friday, April 15, 2011 10:45 AM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 10:52 AM
Points: 4,252, Visits: 3,335
Ninja's_RGR'us (4/12/2011)
I love MS & all since I'm earning my living beause of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.

Granted this is the only db they have acess to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!



& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.

I reported this as a P0 to their test lead.

Thank you for bringing this up.
Post #1094290
Posted Friday, April 15, 2011 10:57 AM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Thursday, January 16, 2014 12:03 PM
Points: 21,376, Visits: 9,594
Revenant (4/15/2011)
Ninja's_RGR'us (4/12/2011)
I love MS & all since I'm earning my living because of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.

Granted this is the only db they have access to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!



& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.

I reported this as a P0 to their test lead.

Thank you for bringing this up.



Thanks a million. Any way I can provide more feedback if / when I find bugs?


The other issue with this is that we have no real way to do implementations.

IE : I put db is single user mode to kick every one out. Backup, restore, checkdb. Put db in restricted user mode so our team can kick in (at which point I didn't know that every user now had access). Tell our consultant to start the upgrade process. In the middle of it we realize we have incorrect data. We trace it to users having logged back it and done transactions. We had to use restricted users because there was 3-4 of us in there to run the tests as fast as possible. We now had to constantly monitor the connections and keep killing them for 2 hours until we were done.


Now the only safe way we have is to pay ultra-overtime for the consultants which they don't want to do anyways or run in single user and shut down the application for 3-6 hours... which means 300+ <wo>man hours lost.


The correct way would be to have users in data reader_writer group and have a way to kick 'em of of the system when we need to.

I don't mind giving dbo for the consultants since they actually need it most days. But even that could be improved.

TIA.
Post #1094297
Posted Friday, April 15, 2011 11:21 AM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 10:52 AM
Points: 4,252, Visits: 3,335
Ninja's_RGR'us (4/15/2011)

Thanks a million. Any way I can provide more feedback if / when I find bugs? . . .

I pinged them and asked them for permission to give you their e-mail. As they are in Hyderabad, I would expect their reply by late Sunday.
Post #1094308
Posted Monday, April 18, 2011 12:44 PM


SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 10:52 AM
Points: 4,252, Visits: 3,335
MS contact info sent via private mail.
Post #1095227
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse