User Access to Stored Procedures

  • We current have a database that users access via an application. The application allows users to log into the server and run company-built stored procedures on their own data.

    I have confirmed the users cannot run any applications other than the ones they have permissions to run, but is there a way to also restrict their ability to view the system procedures?

    Argue for your limitations, and sure enough they're yours (Richard Bach, Illusions)

  • The short answer is no. Yes, it has been done but this brings your SQL Server into an unsupported state. SQL Server 2005 is significantly better on information disclosure issues than SQL Server 2000. I know this is posted in the SQL Server 2005 forum. Is that th version you are using?

     

    K. Brian Kelley
    @kbriankelley

  • Thanks for the reply Brian!

    Version 9.0.3033 (SQL Server 2005 w/SP2): The SP2 version is '"PRE" March, 2007.

    I will look to see if I can find the discussion... I did a search before but did not locate it... always a keyword issue!

    Argue for your limitations, and sure enough they're yours (Richard Bach, Illusions)

  • I did work on it in SQL Server 2000 after observing how Microsoft attacked the problem for a particular contest. Here is the write-up I did:

    http://www.sans.org/reading_room/whitepapers/application/1273.php?portal=33dd61d594ec6f9ca63acf24a29bc898

    I don't think anything similar has been done on SQL Server 2005 mainly because of the fact that SQL2005 takes a harder line on what info it will bring back to a user.

     

    K. Brian Kelley
    @kbriankelley

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply