Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SQL 2008 R2 - Public role - Access Restriction Expand / Collapse
Author
Message
Posted Tuesday, February 28, 2012 12:37 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, July 25, 2014 9:34 AM
Points: 389, Visits: 959
For SQL Server 2008 R2, we need to,
1. remove EXECUTE permissions on Extended stored procedures.
2. if can be done, remove all permssions from Public

Any ideas?
Post #1258654
Posted Tuesday, February 28, 2012 1:17 AM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Wednesday, July 16, 2014 6:13 AM
Points: 4,432, Visits: 4,167
First of all the public role shouldn't have any permissions assigned to it unless someone granted them explicitly. By default the public serverole only has connect permission to the server. The public role has some permmissions granted implicitly through the guest user and you should be very careful removing any of them, because it can mean that users are no longer able to login or see certain server objects. The guest user is needed at least in master and tempdb. You can (and probably should) disable it in all user databases, but better stay away from the system databases.
Here you can find some more info here
http://blog.sqlauthority.com/2012/02/24/sql-server-guest-user-and-msdb-database-enable-guest-user-on-msdb-database/

About the extended procedures I hope you just want to deny exec to certain users or roles. While you can deny exec on quite a lot of them without doing any damage, you should also be aware of the fact that a lot of them are used by SSMS and other tools. For example xp_readerrorlog is needed to view the SQL error log and xp_instance_regread is used during server startup. So if you really want to deny execute on some of them to all users including sysadmins you should be very careful what you do.
By the way you can disable some XP_procedures using sp_configure like xp_cmdshell and all the SMO and DMO procedures.

Hope this helps


Markus Bohse
Post #1258668
Posted Tuesday, February 28, 2012 2:10 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Friday, July 25, 2014 9:34 AM
Points: 389, Visits: 959
Markus, thanks for the brief reply.

1. For Extended SP's, I go to Database Properties->Security-->
Roles-->Database Roles--> Public--> Properties-->Securables
Here, I see a number of Extended SP's. I had to select each one and then remove EXECUTE persmission; and this has to be done for all user db's. So, is there a way to do this either by query or GUI to revoke execution permission for all Extended SP's?

2. For Public role restriction, In Server role public--> Properties-->Permissions -->i see tcpip, named pipes etc only with CONNECT option enabled. So, if i need to remove all permissions for Public, should i go use Server role public or Database role public? In DB role public, as said above, it has execute permissons for most sp, connect etc
Post #1258688
Posted Tuesday, February 28, 2012 3:30 AM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Wednesday, July 16, 2014 6:13 AM
Points: 4,432, Visits: 4,167
balasach82 (2/28/2012)


1. For Extended SP's, I go to Database Properties->Security-->
Roles-->Database Roles--> Public--> Properties-->Securables
Here, I see a number of Extended SP's. I had to select each one and then remove EXECUTE persmission; and this has to be done for all user db's. So, is there a way to do this either by query or GUI to revoke execution permission for all Extended SP's?

2. For Public role restriction, In Server role public--> Properties-->Permissions -->i see tcpip, named pipes etc only with CONNECT option enabled. So, if i need to remove all permissions for Public, should i go use Server role public or Database role public? In DB role public, as said above, it has execute permissons for most sp, connect etc

About 1) In my user databases the public role only has permissions on some systemviews, but no extended procedures so I suspect someone added these permissions in the model database or after creating of a user database.

About 2) the permissions you name are necessary for a login to connect to the server.

You ask which permissions you need to remove, but that really depends on your requirements. As I stated earlier, by default the public role (server or database) only has the permissions which are necessary to connect and view certain server and database objects. If your public role has more permissions I would first investigate why that is the case. Has someone added these permission in the model database, so all new user databases will have them or is it only in certain user databases. In the latter case maybe some application is depending on it?


Markus Bohse
Post #1258744
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse