SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL Injection Attacks


SQL Injection Attacks

Author
Message
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23906 Visits: 1917
quote:
all database access should be done with command objects and stored procedures, and not dynamic SQL


Indeed. Unfortunately, there's a ton of code out there that isn't using Command objects. That was the root of the recommendation I made for my friend to pass on.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23906 Visits: 1917
quote:
If you're talking about ASP ISP one really huge security hole is the provider himself and his knowledge about the Windows OS he is using. I have a script utilizing the FileScriptingObject I used to test my provider and he fails the test.


Another indeed. Any well-known web server is vulnerable straight out of the box. The IIS Lockdown Tool is a start. It is not the cure-all. However, if sysadmins run it, it'll eliminate most all of the vulnerabilities script kiddies are going to target with their pre-built and downloaded programs.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
Frank Kalis
Frank Kalis
SSCoach
SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)

Group: General Forum Members
Points: 18971 Visits: 289
Hi Brian,

quote:

Another indeed. Any well-known web server is vulnerable straight out of the box. The IIS Lockdown Tool is a start. It is not the cure-all. However, if sysadmins run it, it'll eliminate most all of the vulnerabilities script kiddies are going to target with their pre-built and downloaded programs.



some time ago I had a discussion with our network admins on vulnerabilities. Correct me, if I'm wrong. What I remember from this was:

With an out of the box Windows2000 installation there are not specific user permission installed, that means the users can do everything unless he is denied this privilege. Now, if that (even partially) is true, I'd prefer the *NIX approach to deny a user everything unless he is granted permission to.

Cheers,

Frank

--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23906 Visits: 1917
quote:
With an out of the box Windows2000 installation there are not specific user permission installed, that means the users can do everything unless he is denied this privilege.


No, this isn't exactly correct. While the default permissions on the file system is Everyone - full control (although this gets tightened automatically in some cases, such as when you promote to a DC), users don't have full admin rights. They have normal user rights. This is true, of course, if they have a login to the system. Then they can access files but they can't do things like change network settings, stop/start services, change system properties, etc.

Servers tend not to be an issue. The reason is because in order to gain access to the entire file system, one has to be able to log on locally (no shares for non-admin users by default). If they can, that's a physical security domain issue. Of course, if the user can physically get to the server, you're system is pretty much compromised right there (just as would be on most any OS).

Workstations, on the other hand, can be. Join it to a domain and by default any authenticated user can log on (but then we've passed the definition of out of the box). There should be appopriate lock-down policies whether formal procedures or group policies or what-have-you from that point forward.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
Frank Kalis
Frank Kalis
SSCoach
SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)

Group: General Forum Members
Points: 18971 Visits: 289
Hi Brian,

thanks for correcting me!

With out of the box installation the normal user has at least enough rights to crash his box ultimately

What I take from this, is that you need highly-skilled admins to get this job efficiently done. So you have three risk factors, the software, the hardware, and the 'human factor'.

Nonetheless, I'd prefer the SQL Server (and *NIX) approach to deny the normal user 'anything' unless it is explicitly granted.

Cheers,

Frank

--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23906 Visits: 1917
Out of the box installation is a stand-alone PC with the OS and 1 user account: the administrator. So in reality, until you create the user account (you wouldn't give a user root in a *nix system) or you join it to a domain, the end-user doesn't have rights to do anything.

Keep in mind that OS files are protected, services aren't accessible, network and computer settings may be viewable, but they aren't changeable by an account that is just a member of users. Therefore, what the user can do is limited. Sure, the user can wipe out non-critical files (in the sense of the OS running), but then again, this can happen in the *nix world as well. When I create an account in the *nix world, thereby giving user access, usually the user has a home directory, etc. and it amounts basically to the same thing... not quite because the users tend to have access to files under \Program Files in the Windows world. So it's not as quite wide open as its painted to be.

Also, from a SQL Server perspective, run a query to find out what the public role has access to. I also should point out that the guest account is active in the master database (it is necessary), meaning anyone you give the ability to log on to SQL Server has access to these tables and stored procedures.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
Frank Kalis
Frank Kalis
SSCoach
SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)SSCoach (18K reputation)

Group: General Forum Members
Points: 18971 Visits: 289
Hi Brian,

I think we should stop here. We're somehow off-topic. One last statement perhaps, I've never seen a *NIX system crashed so hard, that root had no chance but reinstall, but I do have seen this happen to Windows system. Well, that seems to be more than enough stuff for a separate thread.

Cheers,

Frank

--
Frank Kalis
Microsoft SQL Server MVP
Webmaster: http://www.insidesql.org/blogs
My blog: http://www.insidesql.org/blogs/frankkalis/
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (23K reputation)

Group: Moderators
Points: 23906 Visits: 1917
quote:
One last statement perhaps, I've never seen a *NIX system crashed so hard, that root had no chance but reinstall, but I do have seen this happen to Windows system.


Agreed, we probably do need to carry on a different topic, probably on a Win centric site. Wink However, I have seen this happen... I've seen a Solaris box crash like this, and I've seen a Linux box as well. It's always very, very messy.


K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search