Disable [guest] database user in [msdb] database

  • Christian Buettner-167247

    SSChampion

    Points: 13729

    sknox (9/23/2013)


    So if you don't need the features that rely on guest access, you can disable it in msdb?

    So the correct answer should be "It depends on the security requirements"?

    The correct answer should always be "it depends."

    :discuss:

    I also think that "it depends". Especially since you can grant connect permissions to the users directly (instead of relying on guest) if you really want to harden the system.

    And you have no (known) issues if you do not use SSMS or OCS at all for your super secure production system πŸ˜‰

    Best Regards,

    Chris BΓΌttner

  • Mike Dougherty-384281

    SSCrazy

    Points: 2764

    Christian Buettner-167247 (9/23/2013)


    sknox (9/23/2013)


    So if you don't need the features that rely on guest access, you can disable it in msdb?

    So the correct answer should be "It depends on the security requirements"?

    The correct answer should always be "it depends."

    :discuss:

    I also think that "it depends". Especially since you can grant connect permissions to the users directly (instead of relying on guest) if you really want to harden the system.

    And you have no (known) issues if you do not use SSMS or OCS at all for your super secure production system πŸ˜‰

    I'm not sure that the _correct_ answer should always be "it depends" but the _kneejerk_ answer usually is.

    I don't like questions with subjective measures like "is it a good idea to ..."

    Even "best practices" evolve over time. I know.. QotD is explicitly 'now' but I'm being pedantic. πŸ™‚

    btw, I didn't see anyone answer why guest has so much access by default. On the same front, why does "public" even exist? (oh right, else there would be free-for-all naming of the "everyone" or "don't bother me about security" group)

  • Jeff.MSSqlSage

    Say Hey Kid

    Points: 709

    Having worked in DIACAP environments, the answer is definitely "it depends".

    Part of the government SQL Server lockdowns requires revoking CONNECT to guest for all databases, including system databases.

    Any users which require functionality listed in 2539091 must be explicitly granted permission to the databases and documented as such.

    This is a rather uncommon situation, but still a possibility.

  • Revenant

    SSC-Forever

    Points: 42467

    Hmm... Got it wrong based on

    http://msdn.microsoft.com/en-us/library/ff648664.aspx

    which clearly recommends disabling the guest account (Step 4).

  • Michael_Garrison

    Hall of Fame

    Points: 3050

    hmm.. however this link clearly at the top says:

    "Retired Content

    This content is outdated and is no longer being maintained. It is provided as a

    courtesy for individuals who are still using these technologies.

    This page may contain URLs that were valid when originally published,

    but now link to sites or pages that no longer exist."

  • Revenant

    SSC-Forever

    Points: 42467

    Michael_Garrison (9/23/2013)


    hmm.. however this link clearly at the top says:

    "Retired Content

    This content is outdated and is no longer being maintained. It is provided as a

    courtesy for individuals who are still using these technologies.

    This page may contain URLs that were valid when originally published,

    but now link to sites or pages that no longer exist."

    Yeah, but it was not deprecated, meaning taken down. I hope it means it is still valid.

  • PHYData DBA

    SSCertifiable

    Points: 7541

    Revenant (9/23/2013)


    Hmm... Got it wrong based on

    http://msdn.microsoft.com/en-us/library/ff648664.aspx

    which clearly recommends disabling the guest account (Step 4).

    This was also written in 2003 about SQL Server 2000 with .NET 2/VS 2003.

    For some reason these documents have not changed much since then.

    Would love M$ to release something like this for .Net 4 and SQL 2012 - 2014. 😎

  • PHYData DBA

    SSCertifiable

    Points: 7541

    Mike Dougherty-384281 (9/23/2013)


    I'm not sure that the _correct_ answer should always be "it depends" but the _kneejerk_ answer usually is.

    +10 to that! πŸ˜€

  • free_mascot

    One Orange Chip

    Points: 27168

    Good question for core DBA.

    ---------------------------------------------------
    "Thare are only 10 types of people in the world:
    Those who understand binary, and those who don't."

  • SQLRNNR

    SSC Guru

    Points: 281210

    Good Question. I liked the explanation.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • Joshua M Perry

    SSCrazy

    Points: 2655

    I disable it for Internet facing databases and grant specific permissions. It's also interesting that the article has not been reviewed in two years and SQL 2012 is not listed in the applies to section.

Viewing 11 posts - 16 through 26 (of 26 total)

You must be logged in to reply to this topic. Login to reply