<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQLServerCentral.com
»
Editorials
»
Why Use the Principle of Least Privilege?
18 posts, Page 2 of 2
««
1
2
Why Use the Principle of Least Privilege?
Rate Topic
Display Mode
Topic Options
Author
Message
Ninja's_RGR'us
Ninja's_RGR'us
Posted Tuesday, April 12, 2011 10:50 AM
SSC-Insane
Group: General Forum Members
Last Login: Yesterday @ 2:27 PM
Points: 21,357,
Visits: 9,537
I love MS & all since I'm earning my living beause of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.
Granted this is the only db they have acess to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!
& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.
Post #1092247
Michael Valentine Jones
Michael Valentine Jones
Posted Tuesday, April 12, 2011 11:41 AM
SSCrazy
Group: General Forum Members
Last Login: Yesterday @ 9:55 PM
Points: 2,944,
Visits: 10,510
There are fairly simple steps that you can use to eliminate the vast majority of SQL Injection attacks:
Always Use Parameters. Even if you don't use Stored Procedures.
http://weblogs.sqlteam.com/jeffs/archive/2006/07/21/10728.aspx
Post #1092290
Jim Murphy
Jim Murphy
Posted Wednesday, April 13, 2011 9:30 AM
SSChasing Mays
Group: General Forum Members
Last Login: Monday, May 13, 2013 12:49 PM
Points: 632,
Visits: 1,224
K. Brian Kelley (4/12/2011)
In the BBS days...
I remember those days! I ran a very small BBB back in the 80's. Those were the days.
Anyway, what you describe is correct. The concept of whitelist vs. Blacklist. Whitelist being more secure and ensuring the characters or patters match an exact allowable list only, vs. a blacklist which is less secure and looks for characters not allowed. Blacklist being less secure because hackers are always adapting and changing and even if you blacklisted all of the bad chars/patterns today, it may be vulnerable tomorrow via a new yet-to-be-invented construct.
On the coding side, I advocate whitelist, and on an exception, attempt to blacklist sanitize the input (replace), then run it through the whitelist check one last time. This tends to prevent the really bad stuff, even if not invented yet (usually), while not doing a smack down on the users ETL process, etc.
Anyway, you made some nice points.
Jim
Jim Murphy
http://www.sqlwatchmen.com
@SQLMurph
Post #1092919
SQLRNNR
SQLRNNR
Posted Friday, April 15, 2011 10:34 AM
SSCoach
Group: General Forum Members
Last Login: Monday, May 20, 2013 1:07 PM
Points: 18,733,
Visits: 12,332
I think this is a great reminder that the effort to prevent injection is a continual process.
Jason
AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server 2008
SQL RNNR
Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1094281
Revenant
Revenant
Posted Friday, April 15, 2011 10:45 AM
Hall of Fame
Group: General Forum Members
Last Login: Today @ 11:03 AM
Points: 3,458,
Visits: 2,533
Ninja's_RGR'us (4/12/2011)
I love MS & all since I'm earning my living beause of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.
Granted this is the only db they have acess to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!
& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.
I reported this as a P0 to their test lead.
Thank you for bringing this up.
Post #1094290
Ninja's_RGR'us
Ninja's_RGR'us
Posted Friday, April 15, 2011 10:57 AM
SSC-Insane
Group: General Forum Members
Last Login: Yesterday @ 2:27 PM
Points: 21,357,
Visits: 9,537
Revenant (4/15/2011)
Ninja's_RGR'us (4/12/2011)
I love MS & all since I'm earning my living because of them. BUT I work with ms Dynamics Nav and EVERY SINGLE FREAKING USER needs to be DBO.
Granted this is the only db they have access to but this is a little moronic. And we're using the 2nd latest product version. So it looks like they still have some work to do there!
& BTW, there's a open / design table right there in the application... which anyone has access to. Our contact told us there's no real way to change that.
I reported this as a P0 to their test lead.
Thank you for bringing this up.
Thanks a million. Any way I can provide more feedback if / when I find bugs?
The other issue with this is that we have no real way to do implementations.
IE : I put db is single user mode to kick every one out. Backup, restore, checkdb. Put db in restricted user mode so our team can kick in (at which point I didn't know that every user now had access). Tell our consultant to start the upgrade process. In the middle of it we realize we have incorrect data. We trace it to users having logged back it and done transactions. We had to use restricted users because there was 3-4 of us in there to run the tests as fast as possible. We now had to constantly monitor the connections and keep killing them for 2 hours until we were done.
Now the only safe way we have is to pay ultra-overtime for the consultants which they don't want to do anyways or run in single user and shut down the application for 3-6 hours... which means 300+ <wo>man hours lost.
The correct way would be to have users in data reader_writer group and have a way to kick 'em of of the system when we need to.
I don't mind giving dbo for the consultants since they actually need it most days. But even that could be improved.
TIA.
Post #1094297
Revenant
Revenant
Posted Friday, April 15, 2011 11:21 AM
Hall of Fame
Group: General Forum Members
Last Login: Today @ 11:03 AM
Points: 3,458,
Visits: 2,533
Ninja's_RGR'us (4/15/2011)
Thanks a million. Any way I can provide more feedback if / when I find bugs? . . .
I pinged them and asked them for permission to give you their e-mail. As they are in Hyderabad, I would expect their reply by late Sunday.
Post #1094308
Revenant
Revenant
Posted Monday, April 18, 2011 12:44 PM
Hall of Fame
Group: General Forum Members
Last Login: Today @ 11:03 AM
Points: 3,458,
Visits: 2,533
MS contact info sent via private mail.
Post #1095227
« Prev Topic
|
Next Topic »
18 posts, Page 2 of 2
««
1
2
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
