Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

SQL 2000 Vulnerability using SQL Server Management Studio Expand / Collapse
Author
Message
Posted Wednesday, October 25, 2006 6:15 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, July 12, 2010 6:44 AM
Points: 2, Visits: 34
Hi,

When using SQL Server Management Studio to connect to a SQL2000 database using a user/password that has only permissions for its database and default permission on the master database, it lists all the databases on the server, not a huge problem.
Though if you right click your database and go to "Tasks" >> "Back Up..." now click the "Add" button under destination and in the "Select Database Destination" dialogue click the "..." button.

You are now able to browse the entire drives file stucture.
You are also able to overwrite other backup files or restore other backup files from any other database.

If I do this with Enterprise Manager I get the following error :
error 229: EXECUTE permission denied on object 'xp_availablemedia', database 'master', owner 'dbo'
And with Enterprise Manager I only see a list of databases I have access to.

Anybody got any suggestions on how to make my SQL2000 servers more secure?
Post #317875
Posted Thursday, October 26, 2006 10:57 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Wednesday, February 4, 2009 1:49 PM
Points: 160, Visits: 140
Hi lance can you tell me on wich roles this user is included ?

Pedro R. Lopez
http://madurosfritos.blogspot.com/
Post #318443
Posted Friday, October 27, 2006 5:28 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Monday, July 12, 2010 6:44 AM
Points: 2, Visits: 34
public and db_owner
I got this by going to the a database of a standard useer then under users clicked the properties of the user.
Post #318652
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse