Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««12

SQL Injection Attacks Expand / Collapse
Author
Message
Posted Thursday, May 29, 2003 7:40 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
quote:
all database access should be done with command objects and stored procedures, and not dynamic SQL


Indeed. Unfortunately, there's a ton of code out there that isn't using Command objects. That was the root of the recommendation I made for my friend to pass on.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #63479
Posted Thursday, May 29, 2003 7:42 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
quote:
If you're talking about ASP ISP one really huge security hole is the provider himself and his knowledge about the Windows OS he is using. I have a script utilizing the FileScriptingObject I used to test my provider and he fails the test.


Another indeed. Any well-known web server is vulnerable straight out of the box. The IIS Lockdown Tool is a start. It is not the cure-all. However, if sysadmins run it, it'll eliminate most all of the vulnerabilities script kiddies are going to target with their pre-built and downloaded programs.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #63480
Posted Monday, June 2, 2003 2:37 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, August 13, 2013 1:18 AM
Points: 5,956, Visits: 285
Hi Brian,

quote:

Another indeed. Any well-known web server is vulnerable straight out of the box. The IIS Lockdown Tool is a start. It is not the cure-all. However, if sysadmins run it, it'll eliminate most all of the vulnerabilities script kiddies are going to target with their pre-built and downloaded programs.



some time ago I had a discussion with our network admins on vulnerabilities. Correct me, if I'm wrong. What I remember from this was:

With an out of the box Windows2000 installation there are not specific user permission installed, that means the users can do everything unless he is denied this privilege. Now, if that (even partially) is true, I'd prefer the *NIX approach to deny a user everything unless he is granted permission to.

Cheers,

Frank


--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/
Post #63481
Posted Monday, June 2, 2003 9:20 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
quote:
With an out of the box Windows2000 installation there are not specific user permission installed, that means the users can do everything unless he is denied this privilege.


No, this isn't exactly correct. While the default permissions on the file system is Everyone - full control (although this gets tightened automatically in some cases, such as when you promote to a DC), users don't have full admin rights. They have normal user rights. This is true, of course, if they have a login to the system. Then they can access files but they can't do things like change network settings, stop/start services, change system properties, etc.

Servers tend not to be an issue. The reason is because in order to gain access to the entire file system, one has to be able to log on locally (no shares for non-admin users by default). If they can, that's a physical security domain issue. Of course, if the user can physically get to the server, you're system is pretty much compromised right there (just as would be on most any OS).

Workstations, on the other hand, can be. Join it to a domain and by default any authenticated user can log on (but then we've passed the definition of out of the box). There should be appopriate lock-down policies whether formal procedures or group policies or what-have-you from that point forward.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #63482
Posted Tuesday, June 3, 2003 1:33 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, August 13, 2013 1:18 AM
Points: 5,956, Visits: 285
Hi Brian,

thanks for correcting me!

With out of the box installation the normal user has at least enough rights to crash his box ultimately

What I take from this, is that you need highly-skilled admins to get this job efficiently done. So you have three risk factors, the software, the hardware, and the 'human factor'.

Nonetheless, I'd prefer the SQL Server (and *NIX) approach to deny the normal user 'anything' unless it is explicitly granted.

Cheers,

Frank


--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/
Post #63483
Posted Tuesday, June 3, 2003 6:42 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
Out of the box installation is a stand-alone PC with the OS and 1 user account: the administrator. So in reality, until you create the user account (you wouldn't give a user root in a *nix system) or you join it to a domain, the end-user doesn't have rights to do anything.

Keep in mind that OS files are protected, services aren't accessible, network and computer settings may be viewable, but they aren't changeable by an account that is just a member of users. Therefore, what the user can do is limited. Sure, the user can wipe out non-critical files (in the sense of the OS running), but then again, this can happen in the *nix world as well. When I create an account in the *nix world, thereby giving user access, usually the user has a home directory, etc. and it amounts basically to the same thing... not quite because the users tend to have access to files under \Program Files in the Windows world. So it's not as quite wide open as its painted to be.

Also, from a SQL Server perspective, run a query to find out what the public role has access to. I also should point out that the guest account is active in the master database (it is necessary), meaning anyone you give the ability to log on to SQL Server has access to these tables and stored procedures.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #63484
Posted Tuesday, June 3, 2003 7:44 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Tuesday, August 13, 2013 1:18 AM
Points: 5,956, Visits: 285
Hi Brian,

I think we should stop here. We're somehow off-topic. One last statement perhaps, I've never seen a *NIX system crashed so hard, that root had no chance but reinstall, but I do have seen this happen to Windows system. Well, that seems to be more than enough stuff for a separate thread.

Cheers,

Frank


--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/
Post #63485
Posted Tuesday, June 3, 2003 7:54 AM


Keeper of the Duck

Keeper of the Duck

Group: Moderators
Last Login: Friday, September 26, 2014 7:52 AM
Points: 6,624, Visits: 1,873
quote:
One last statement perhaps, I've never seen a *NIX system crashed so hard, that root had no chance but reinstall, but I do have seen this happen to Windows system.


Agreed, we probably do need to carry on a different topic, probably on a Win centric site. ;) However, I have seen this happen... I've seen a Solaris box crash like this, and I've seen a Linux box as well. It's always very, very messy.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1


K. Brian Kelley, CISA, MCSE, Security+, MVP - SQL Server
Regular Columnist (Security), SQLServerCentral.com
Author of Introduction to SQL Server: Basic Skills for Any SQL Server User
| Professional Development blog | Technical Blog | LinkedIn | Twitter
Post #63486
« Prev Topic | Next Topic »

Add to briefcase ««12

Permissions Expand / Collapse