SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


SQL 2008 R2 - Public role - Access Restriction


SQL 2008 R2 - Public role - Access Restriction

Author
Message
balasach82
balasach82
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2011 Visits: 1085
For SQL Server 2008 R2, we need to,
1. remove EXECUTE permissions on Extended stored procedures.
2. if can be done, remove all permssions from Public

Any ideas?
MarkusB
MarkusB
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10237 Visits: 4208
First of all the public role shouldn't have any permissions assigned to it unless someone granted them explicitly. By default the public serverole only has connect permission to the server. The public role has some permmissions granted implicitly through the guest user and you should be very careful removing any of them, because it can mean that users are no longer able to login or see certain server objects. The guest user is needed at least in master and tempdb. You can (and probably should) disable it in all user databases, but better stay away from the system databases.
Here you can find some more info here
http://blog.sqlauthority.com/2012/02/24/sql-server-guest-user-and-msdb-database-enable-guest-user-on-msdb-database/

About the extended procedures I hope you just want to deny exec to certain users or roles. While you can deny exec on quite a lot of them without doing any damage, you should also be aware of the fact that a lot of them are used by SSMS and other tools. For example xp_readerrorlog is needed to view the SQL error log and xp_instance_regread is used during server startup. So if you really want to deny execute on some of them to all users including sysadmins you should be very careful what you do.
By the way you can disable some XP_procedures using sp_configure like xp_cmdshell and all the SMO and DMO procedures.

Hope this helps

Markus Bohse
balasach82
balasach82
SSCrazy
SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)SSCrazy (2K reputation)

Group: General Forum Members
Points: 2011 Visits: 1085
Markus, thanks for the brief reply.

1. For Extended SP's, I go to Database Properties->Security-->
Roles-->Database Roles--> Public--> Properties-->Securables
Here, I see a number of Extended SP's. I had to select each one and then remove EXECUTE persmission; and this has to be done for all user db's. So, is there a way to do this either by query or GUI to revoke execution permission for all Extended SP's?

2. For Public role restriction, In Server role public--> Properties-->Permissions -->i see tcpip, named pipes etc only with CONNECT option enabled. So, if i need to remove all permissions for Public, should i go use Server role public or Database role public? In DB role public, as said above, it has execute permissons for most sp, connect etc
MarkusB
MarkusB
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10237 Visits: 4208
balasach82 (2/28/2012)


1. For Extended SP's, I go to Database Properties->Security-->
Roles-->Database Roles--> Public--> Properties-->Securables
Here, I see a number of Extended SP's. I had to select each one and then remove EXECUTE persmission; and this has to be done for all user db's. So, is there a way to do this either by query or GUI to revoke execution permission for all Extended SP's?

2. For Public role restriction, In Server role public--> Properties-->Permissions -->i see tcpip, named pipes etc only with CONNECT option enabled. So, if i need to remove all permissions for Public, should i go use Server role public or Database role public? In DB role public, as said above, it has execute permissons for most sp, connect etc

About 1) In my user databases the public role only has permissions on some systemviews, but no extended procedures so I suspect someone added these permissions in the model database or after creating of a user database.

About 2) the permissions you name are necessary for a login to connect to the server.

You ask which permissions you need to remove, but that really depends on your requirements. As I stated earlier, by default the public role (server or database) only has the permissions which are necessary to connect and view certain server and database objects. If your public role has more permissions I would first investigate why that is the case. Has someone added these permission in the model database, so all new user databases will have them or is it only in certain user databases. In the latter case maybe some application is depending on it?

Markus Bohse
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search