Permissions granted to the public role
-
Hello all
I hope someone can help me explain things to upper management better about public role. We have an intrusion application that also scans our SQL Server 2000 for vulnerabilities. A few of the critical and major alerts states that public has select permissions on a number of system objects. I understand that this is necessary for normal SQL Server 2000 operations. However, they want me to remove public permissions on all of these objects so the report will show zero errors. I am resisting. However, I did revoke some from MSDB and Master that I know will not cause any problems (I hope). This is not good enough.
I have been on a hunt for documentation that would support this such a draconian move. I have even gone back to the software vendor to have them explain to me why this is the case.
According to a CERT document, it suggested a few things like creating a separate role and granting permission to this group and then revoking the public permissions. However, we have other vendor applications that I have no idea how this would affect.
I am hoping someone has some suggestions as to what permissions can and cannot be revoked without spending the next week or two trying to fix everything. Pointing me into some good security or administration documentation would also help greatly.
Thanks in advance.
-
revoking public rights is quite a good move but there are some issues - you obviously move away from an "out of the box" install - this means if things break it's your fault. However, many of the public rights can ( and probably should ) be removed - but be prepared for lots of applications to break. I've seen all manner of wonderous access to system objects by third party applications, and I might add microsoft applications.
If your upper management don't understand what they're asking and are just blindly going on the recommendations of a third party app then they are not likely to have a very secure environment.
Test and test to see what rights you can remove. Yes creating roles to replace the public role is the right way to go, but at the end of the day if all users are in that role then it's largely no different to limiting public rights.
sqlsecurity.com has lots of useful information.
[font="Comic Sans MS"]The GrumpyOldDBA[/font]
www.grumpyolddba.co.uk
http://sqlblogcasts.com/blogs/grumpyolddba/ -
Thanks a bunch. As I type, the help desk tickets are now rolling in. I am going to venture that many of the vendors will not help because we changed (or will change) many of the settings they are relying on.
Viewing 3 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply