How To Restrict Evil Create Scripts?
Aug 8, 2006
Hi,
For a service I'm working on I need to ask the user for their database
create script. It's used to re-create the users database schema in a
temporary database on a in-house server in an automated fashion.
For security reasons, I need to be sure that the create script can only
create tables, columns etc and not things like snooping in other
databases and/or formatting the server.
Can you give me pointers about what the minimum grants are to let good
script execute successfully and evil scripts fail?
Regards,
Ward
View 4 Replies
ADVERTISEMENT
May 9, 2008
Can anyone help me with this? The objective is to allow an application user (with db_datareader & db_datawriter database roles assigned) to be able to create tables in the assigned schema (dbo) via a new role.
-- Create User
use master
go
create login DBA with password='xx', CHECK_EXPIRATION=ON, CHECK_POLICY=ON
use AdventureWorks
go
create user dba from login DBA
alter user dba with DEFAULT_SCHEMA=dbo
go
-- Create Role
use AdventureWorks
go
create role sp_ddl_role AUTHORIZATION dbo
grant CREATE TABLE to sp_ddl_role
-- assign user to Role
use AdventureWorks
go
exec sp_addrolemember sp_ddl_role, dba
go
-- Create Table statement then run with following error
Error:
Msg 2760, Level 16, State 1, Line 1
The specified schema name "dbo" either does not exist or you do not have permission to use it.
Remedy: Grant ALTER on schema::dbo to sp_ddl_role
My problem is that I want to restrict user permissions via this role to just the CREATE TABLE and granting ALTER on a SCHEMA will open up a whole lot more permissions from a security standpoint.
Question: How do I restirct this role to just the CREATE TABLE within a SCHEMA?
View 1 Replies
View Related
Jul 31, 2006
The dialogue with you makes me fully aware of the origin and the natureof some dreadful phenomena of the modern mentality: thedissatisfaction, the uncertainty, the rebellion, the intimateunhappiness of the contemporary human beings.They have lost the deep, metaphysical sense of the existence, themeaning of their own life, the hope of any destiny.The Light illuminating all the environment has been extinguished, andall the men are going on like blind ones, looking for a point oforientation and support, getting cross at each other and embracing oneanother as at random.Website of the author www.lorenzocrescini.it/rightEmail Join Bytes!
View 1 Replies
View Related
Sep 24, 2007
Is this a Microsoft joke? It looks like a legitimate Microsoft site:
http://thesource.ofallevil.com/downloads/details.aspx?familyid=4C6BA9FD-319A-4887-BC75-3B02B5E48A40&displaylang=en
I found it in a Google search for sql server express, but it sure has a strange URL.
View 2 Replies
View Related
Jun 4, 2007
Hi there,
I am new here, and I've tried to see if this topic has been discussed elsewhere, but since I am not familiar with the terminology, I'll stick my neck out and ask.
Quick background: I am a C# developer with limited exposure to and experience with SQL. I now have to make some design decisions for a newer version of a "legacy" app. Since those of us who are left here basically know how to query the database and do the CRUD work, but don't have a lot of mad skills in the db design department, I am wondering to which degree we should leave things alone.
Ok, so now to the actual issue.
This database is used by an application that registers sales locally for certain types of sales teams. All data is eventually extracted and sent off as ASCII files to central processing, but until then, they are stored in a table for each sales campaign.
Information about campaigns is stored in one table called CampaignSettings. Highlights of this table include a CampaignID (primary key) and some generic sales information, plus a reference to the table that holds customer information. Yep, each campaign has it's own table, as customer registrations (not just for sales, but for information requests etc.) can easily scale into the hundereds of thousands, plus the number of campaigns will eventually reach at least 20-50 active at any given time.
Yep, perhaps it sounds like a huge task for inexperienced db people, that's why we have to learn, and fast! ;)
Ok, so these individual campaign tables is where it gets interesting, and they are the reason I am writing. Each campaign table has the same basic structure - a RecordID, an insertion date, several customer information fields. And then they have two additional sets of fields; The salesinfo "nodes", and the "custom fields".
There is a table called sinode, which pretty much looks like this:
id - int, primary key
campaign - foreign key to campaignsettings campaignid field
field - varchar, the name of the column in the campaign table
desc - a description of what goes in the field (used in the sales registration app)
default - a reasonable default value showing the user what to register
Using this method, the idea is that each campaign can have a different structure (i.e. different product types sold = different information needs to be registered).
Also, for the "custom fields" stuff, something similar is employed. There is a scriptvariables table, similar to the sinode one, which contains custom fields that campaigns contain - when they feel like it, they can for instance find everyone with a certain value in a custom field and send them some sales propaganda by snailmail, with some of these script variables used in the letter. The difference between salesinfo columns and custom field columns is basically that only salesinfo columns (plus a few of the standard ones present in all tables) are reported to central processing.
QUESTION #1: Is there a name for such a table structure, where the very definition of tables themselves are somewhat dynamic and applications need to query support tables in order to know the customer table structure for each campaign. Is the name "Brain Dead Design"? ;) Or is this an acceptable way of doing things?
Since we're now upgrading things a little, among other things we're considering moving from "old fashioned" ADO.NET to LINQ or some kind of O/R mapping application, so that we'll cut down on the maintenance of the database <-> object layer.
QUESTION #2: Will an O/R Mapper or LINQ (when Orcas goes RTM) be able to handle the kind of tables we're talking about here, considering that the structure of the individual customer table is not known at compile time, but depends on the database?
And then, there's the question that has been haunting me for a while now..
QUESTION #3: If you, the reader, who with great probability knows a lot more about database design than I do, were put in charge of such a project - how would YOU design it? Keep it like today? Create a huge normalization table for sales items and custom fields? What kind of architecture would be "correct" in this case, considering that our customers scale from the very small with few campaigns to the relative large with big, nasty customer tables.
I will be extremely grateful for any replies, and I promise to read many heavy SQL books as penance, and spend 10% of my work day helping newbies for several weeks once I attain enlightenment! :)
Thanks in advance,
Havremunken
View 2 Replies
View Related
Feb 4, 2008
I ran across this technique being used in an application the other day. It seems not a good idea to me. What do you think?
1. The proc builds a basic query, nothing real fancy, into a string variable called @SQL defined as varchar 2000. Depending on the result desired, the group by clause can be one of three different sort orders.
2. The string is executed via EXEC @SQL.
It seems to me that the whole process can eliminate the EXEC and just use some other construct. All the parameters are passed in via the initial call to the stored proc. It also seems that every time this is executed it will result in a new query compile and cache useage, no matter what. Wasteful? Should I take the developers aside and knock heads? I think the app was coded by some folks who were rookies then but may be willing to crack open their code. Or, am I the one that is a rookie?
Thanks for your inputs.
View 11 Replies
View Related
Mar 11, 2007
What would be the best practice to prevent users who didn't create a record in sql from deleting? When a record is created I have the username who created the record in one of the fields. I was thinking maybe a query?
Thank you in advance.
View 8 Replies
View Related
Oct 5, 2004
I have an ETL product, every 30 minutes it loads maybe a coupla 100K records of various construction into an SQL Server Db (2000 SP3, on Win 2000 Std Server also Win 2003 Ent Server). It really hammers the Db with a combination of batch insert update and insert fallback to update etc. It does not use 100% CPU actually and is IO bound. Works a treat.
Now the problem, someone has built a .Net ADO based front end, and for the 5 minutes my product runs every 30 minutes they have a hope in hell of getting a reasonable response for their select queries. Now my take is that maybe I can delay for 5ms after each transaction I do to allow the other user processes a chance. But better maybe would be for my ETL product Db user to have a lower priority than other Db users.
What is the best way to achieve this end? If I understood more about how SQL Server prioritizes users and their requests it might help. (round robin?)
Thx.
David
View 2 Replies
View Related
Oct 5, 2004
I have an ETL product, every 30 minutes it loads maybe a coupla 100K records of various construction into an SQL Server Db (2000 SP3, on Win 2000 Std Server also Win 2003 Ent Server). It really hammers the Db with a combination of batch insert update and insert fallback to update etc. It does not use 100% CPU actually and is IO bound. Works a treat.
Now the problem, someone has built a .Net ADO based front end, and for the 5 minutes my product runs every 30 minutes they have a hope in hell of getting a reasonable response for their select queries. Now my take is that maybe I can delay for 5ms after each transaction I do to allow the other user processes a chance. But better maybe would be for my ETL products user to have a lower priority than other users.
What is the best way to achieve this end? If I understood more about how SQL Server prioritizes users and their requests it might help. (round robin?)
Thx.
David
View 2 Replies
View Related
May 28, 2008
Hi
Is it possible to restrict what IP numbers can access a sql server 2005 (can this do done in sql server 2005)?
View 3 Replies
View Related
Oct 25, 2006
Hi guys, say i wrote a query that returns 1,000 records.. what kinda query could i write that only returns say the first 50 records of the 1,000 recs..
View 4 Replies
View Related
Jan 21, 2005
Hi
I need to restrict delete from one table by any user of SQL. How can we do this? This is our master table and we dont want any one to delete data from this table.
Thanks
Bala
View 1 Replies
View Related
Nov 12, 2001
Hi,
Is there a way to prevent new users from accessing a SQL2000 db (like to put it into DBO mode) while leaving current users finish their running jobs.
I tried Alter Database and sp_dboptions and both in SQL2000 requires to close all current users. It was working in SQL7 but not in 2000.
Thanks
AAA
View 3 Replies
View Related
Jun 19, 2001
Is there a switch in 7.0 that I can set if
I don't want users to see a certain column in
a table.
Ex: TableA(column1, column2, column3)
If they do a select * from tableA
they will receive information on all three columns,
I don't want them to see the last column3.
View 2 Replies
View Related
Dec 7, 1999
Is there any way of not allowing users with MS Access from using it to connect to a SQL 7 server? Basically, no connection to SQL through MS Access should be allowed. Any ideas?
View 2 Replies
View Related
May 27, 2005
Hello Everybody,
I need some help.
When we install the Database at the clients end, the client can see all
the SQL tables, views and stored procedure in the Enterprise Manager.
Is there a way via which you can restrict the client from viewing the
tables in SQL Enterprise manager?
I hope you understand my question.
I would be oblidged if my friends could help me...
Thanks
View 1 Replies
View Related
Mar 13, 2006
Does anyone know how can we prevent users from creating offline/local cube (in Excel) from our OLAP/Analysis Service server ?
Thank you.
View 3 Replies
View Related
Mar 25, 2008
My users have sa rights to our SQL servers. I want to restrict their access to the C: so that they do not restore DB's there.
I thought at first I could create a Windows user that runs the SQL Service then grant them read rights to the C:. This does not give the user enough rights to start the service.
View 14 Replies
View Related
Jul 23, 2005
HiI have two SQL2000 servers in different sites, once a day approximately1M of data in the form of a large update is required to be transferedbetween the 2. We have use of a 2M pipe between the servers but thereis no quality of service, the other users on the pipe are traders sothere must be no interruption in the quality of their bandwidth at anytime.Is there any way of throttling back the data transfer between the twoservers to restrict its bandwidth use. Obviously we want to retain themax bandwidth on our local network.The pipe is administered by a seperate company so we do not have adminaccess to their gateways, routers etc.. so a solution which we canimplement on our database servers would be the easiest.I am not sure if this is the right newsgroup for this but anyinformation would be greatThanksMark
View 1 Replies
View Related
Jul 20, 2005
Hello All,I'm using SQL Server 2000 and wish to restrict the user login to oneinstance only. Is this possible? Is this wise?
View 3 Replies
View Related
Jul 20, 2005
Hello -I have over 100 MSSQL Databases on my SQL SERVER. How do I restrictall the MSSQL databases and its transaction logs to 100 MB.Can someone help me with any script which will do that.Thanks,Rubal Jainwww.Rubal.net
View 1 Replies
View Related
Feb 6, 2008
Here is what I need to do, maybe someone could tell me what to do.
I need to create a login (I got that part) and then limit that login to only be able to see one of the databases on the server. So this is what I'm looking for.
user1 logs in to the server
user1 can only see the database I want them to see
and can not see anything else, no msdb, no tempdb, no security, no management etc.
I also need this user to be read only (only able to run select statements)
and this user will not be the owner of the database
Please help i'm pulling my hair out
Thanks Ahead of time
View 8 Replies
View Related
Dec 16, 2006
While web hosting I use Sql Server 2000 as the database. Imagine I have hosted 3 Web Sites. All these 3 users want to modify/update their designs. What I did is I created respective 3 users having access to the respective databases only. So that they can registerd the ip and add to the Sql Server 2000 Enterprise Manager. These users are able to access their own databases only. But all these 3 users are able to access the default databases like master,pubs etc. How to restrict this.
Also suggest which is the optimal way to give control to the respective users while using Sql Server 2000.
====Suresh, P.R, Postal Training Centre, Mysore.
View 2 Replies
View Related
Mar 26, 2008
My users have sa rights to our SQL servers. I want to restrict their access to the C: so that they do not restore DB's there.
I thought I could create a Windows user that runs the SQL Service then grant them read rights to the C:. This does not give the user enough rights to start the service.
View 1 Replies
View Related
Aug 4, 2006
Hi
Are there any way to use foreign key in MS-SQL Express with ON DELETE RESTRICT like other databases?
Best Regards
Igor Sane
View 3 Replies
View Related
Feb 9, 2004
Hi,
ive a table of over 90,000 records . is ther any method for restricting the number of records returned by a SELECT query
i want to implement a query system which will give me the first 50 records, next 50 ,... and so on
can ne body help ?
View 4 Replies
View Related
Oct 2, 2007
In SQL2005, is it possible to restrict incoming sql or windows authentication logins by source hostname or IP address? Perhaps using endpoints?
We are currently using hosts file on the db server as a temporary solution, but the SA will not allow us to use this as a permanent solution.
The app team I support is asking me to build an "idiot proof" database so that an Dev or Test app server they may configure, doesn't unintentionally connect to the Production database and damage/alter data.
Don't worry, I've already asked if they can't follow some kind of M&P's to prevent this kind of silly behavior, but they insist on DBA team creating a bullet-proof database that can outsmart app developers who try to attempt something dumb like this.
Any ideas or suggestions would be greatly appreciated.
TIA,
Phil
Phil Streiff
View 2 Replies
View Related
Mar 6, 2008
Dear Gurus,
I need to do the following in SQL Server 2005:
1. Restrict access of user SA to my database
2. Encrypt contents of the whole database. Is there anything available in SQL Server 2005 (server or DB settings) which encrypt the contents. I do not want to explicitly encrypt individual columns !!
Thanks in advance
Anjum
View 3 Replies
View Related
Mar 6, 2007
How might I Restrict ASP.NET app DB permissions using Integrated Security?
I can see how it's done with SQL Authentication, but I'd prefer to do it with Windows Authentication.
Is it a matter of restricting the permissions of the general ASP.NET user (€œNT AUTHORITYNETWORK SERVICE€?)...seems like it might affect too much.
Or can I have a Windows user/identity/account that is specific to a single ASP.NET Application?
Any guidance on this would be appreciated.
Thanks!
View 3 Replies
View Related
Sep 23, 2015
I have created a user Finance and I want to grant him access only to see views which are created under Schema called "FinanceQuery".
Note: View may use tables from multiple schemas example: dbo. Staging. ectÂ
By doing this, I want to achieve that this user Finance can see only Views created under Schema FinanceQuery and should not see any other objects (tables, Stored Procedures, Functions etc.)
View 3 Replies
View Related
Nov 26, 2007
hi all
I have been posting in VB.NET forum ,but i am new to this forum.
I am working on an application using vast amount of data . So we get data in flatfiles. We used to get data for two or three months in more than three or four flat files .Some time we try to load the same files more than once .So it leads to duplicates in tables
I heard that there is some settings in table , so that it will not allow the same data once it is imported .
if anybody knows about this please help me
thanks & regards
View 6 Replies
View Related
Sep 30, 2004
Hello
I have an MSSQL server where I would like to create a couple of databases, create one user pr. DB, and give them db_owner permissions.
Giving a user db_owner permissions allows the user to make a backup of the database, which is a good thing and I would like it to stay that way.
My problem is that I don't know how to restrict the user from saving the backup to any directory or filename that he wants to.
He can not get out of the directories that the user MSSQL is running under has access to. But he can overwrite another users backupfile or placing the file in the MSSQL-programfolder.
The users is using SQL Server authentication.
Can I restrict the backup procedure to save to only one file or in one directory?
What is the best practice regarding backup if you give your users db_owner permissions?
View 6 Replies
View Related
Oct 18, 2013
i am using sql server 2008R2 and i want to restrict my application user to view only the data(ships) related to him only.
We have database and many vessels with many owners, basically wants the owner could only view his owned vessels not the vessel owned by another owner.
View 2 Replies
View Related