I hope I'm in the correct forum for this question. If I'm not, forgive me and point me in the proper direction.
I have SQL Server 2000 databases that I am trying to secure. To that end I've deleted the guest account from all but the master and tempdb databases.
Within the master db I've denied access of any "flavor" to all objects but spt_values, syscharsets, sp_MSSQLDMO80_version, and sp_MSdbuserpriv (only because I've discovered they are necessary).
Can anyone tell me where I might find the absolute minimum permissions configuration for the guest account in master?
I have no third party vendor software accessing my SQL Server 2000 databases. The thought of
Demographics:
SQL Server 2000 sp4 running on Windows 2003 Server with the current service packs.
Hi All,How do I set just enough permissions on a database so that a developer cancreate new objects and modify them without giving him administratorprivilege. At the moment the db objects are dbo and execute permissions aregranted to indevidual through a schema.GRANT EXECUTE ON [dbo].[My_Prcsedure] TO [MySchema]Thanks
What are the minimum permissions required by the SQL Server 2005 Upgrade Advisor (UA)? I could not find it in the documentation.
Obviously being a local Administrators Windows group and a member of sysadmin SQL Server role will do the trick.
But will being a member of only the sysadmin SQL Server role be enough? I know that the UA does want to read the registry.
Running it under just sysadmin generates the following type of errors:
Database Server PreUpgrade Requested registry access is not allowed. WINSOCKPROXY
Database Server PreUpgrade Requested registry access is not allowed. FTUNSIGNEDCOMPONENTS
Database Server PreUpgrade Requested registry access is not allowed. NETPROTOCOL
Database Server PreUpgrade Requested registry access is not allowed. FTMULTIPLEINSTANCES
Database Server PreUpgrade Requested registry access is not allowed. INVALIDNAMEDPIPE
Database Server PreUpgrade Requested registry access is not allowed. FTCOMPONENTREG
Database Server PreUpgrade Requested registry access is not allowed. FTACCTPASS
The issue then is whether these are significant or not. If the UA is only reading the registry to determine if SSAS, DTS, etc is installed then that is not important. But if it is affecting the end result because it cannot read critical information from the registry that is another matter.
To use Reporting Services as a rendering engine I want to configure a local user on the server that has only the minimum set of permissions and user rights. The server is W2K3 SP2 and SQL 9.0.3200.
In particular, this local user has been removed from the local "Users" group and so is the "Authenticated Users" built-in group. In Reporting Services, it is mapped to a role that only has the "Execute Report Definitions" task permission.
Then, following the details in http://support.microsoft.com/kb/812614/ (Default permissions and user rights for IIS 6.0) I added all file security and local user rights required for "Users" and also granted and propagated "Read&Execute" on the "Reporting Services" folder and verified this using "Effective Permissions" on the ReportService2005.asmx file.
However, I still get 401 Unauthorized, also after a complete restart of all related machines and services.
Once I add the user or "Authenticated Users" back to "Users" everything works fine.
What permissions might I be missing? Where could I find those permission requirements documented?
I tried analyzing the 401 using auditing file and object access security but to no avail. There are no Failure audit entries in the Security log.
How can I investigate the minimum permission set?
What is the risk of leaving the user in the "Users" local group?
I've got a tool that accesses syslogins to pick up some information.When I run the tool, I get the error message that sasys that my logindoes not have sufficient permissions to read syslogins. If I run undermy admin ID, everything is fine. HOWEVER, the intention is that thistool will be used by non-DBA staff members so we have a generic idcreated to run this tool specifically (non-DBA account).OK, so I go to Enterprise Manager and open up the master database, goto syslogins and add my non-DBA id to the permissions list as havingSELECT access, and click on EXECUTE.BOOM! No sign of my permissions being set.Am I missing something? If so, what do I need to do to set permissionsagainst this view?
I'm trying to identify the objects in master that the role public has select permissions on, but when I run this query, I get 4 results where the default schema is null and the major_id column does not correspond to any records in the sys.all_objects table. Where else can I look to find what objects these are. DBO is listed as the grantor.
I appreciate your help.
SELECT * FROM SYS.DATABASE_PERMISSIONS P, SYS.DATABASE_PRINCIPALS R WHERE P.GRANTEE_PRINCIPAL_ID=R.PRINCIPAL_ID and permission_name='SELECT' and class_desc='OBJECT_OR_COLUMN' and r.name='public' order by r.name desc
Hi allI have a stored procedure that has the lineEXEC master..xp_cmdshell 'dtsrun /Stestjob1 /N testdts /E'If I run the SP from an access front end as a trusted user or from ascheduled job it runs fine and exectues the dts.If I run the stored procedure using VB6 as a standard connection the dtsjobwont run. I get back Execute permissions denied on xp_cmd.. on databasemasterdb_connect_string = "Provider=SQLOLEDB.1;Persist Security Info=False;UserID=test_connect;PWD=pw1test;Initial Catalog=testdb;Data Source=" &database_name....Set cmd = New ADODB.Commandcmd.ActiveConnection = db_connect_stringcmd.CommandType = adCmdStoredProccmd.CommandText = "testStoredProcedure"cmd.ExecuteDo I need to give test_connect permisions to run the test stored procedure.I hoped that because the VB called a stored procedure and the connection hadpermissions to execute the SP then it would be the SP that called thexp_command....can anyone tell me the accepted way to do thismany thanksAndy
If our SQL Server is not part of a domain, can "Guest" users still connect to the SQL server?
What we are experiencing is -- when a drive is mapped to the server connectivity is fine. But, without the drive mapping, the SQL connections cannot be made.
Thoughts, Ideas,
(hopefully without adding unique logins for each user at the server)
Nel database "master" ho mappato, per errore, l'utente "guest" su unutente sql "XXX" creato in SQLServer.Questo tipo di impostazione non permette più di aver accesso conl'utente anonimo "guest" (mappato su null) al db (con autorizzazionilimitate al ruolo public).Ho provato sia da EM che con le varie SP a rimuovere l'utente, amapparlo su un'altro utente, ... ma non sono riuscito a ripristinarela situazione di partenza.Mi servirebbe una idea per non dover effettuare il backup di tutti idb, disinstallare SQLServer, reinstallare SQLServer e fare il restoredi tutti i db (soluzione possibile ma che tengo come ultimaspiaggia!!).Grazie
I would like a guest to view some items on the application.
And I recently intalled SQL Server 2000 on my machine. Will integrate Access when ready.
I can access or simply read data from a db if I specify User ID and Password.
Such as....
Dim nwindConn As SqlConnection = New SqlConnection("Data Source=localhost;User Id=sa;Password=xxxxx;Initial Catalog=Northwind;")
Yes, testing first, then adjusting all my code for the SQL instead of Access.
If I leave the id and pw out, it won't read - login failure. I have read so much on authentication and some posts here, even the one on login failure, but that didn't help.
Keep in mind, just installed, only users are the default ones by the installation.
What setting in the SQL Server is there, and I have looked, that if it's a guest, no id or pw, allow read only to items such as datagrids which only read from tables?
Hi All, I encountered a bizzard situation. The guest id in tempdb disappeared after I rebooted (shutdown and startup) my server. That caused errors in application whenever a stored proc needs to create a temporary table. Has anyone seen this happened before? Any idea on why or how it happened? Thanks in advance.
Hi, I know this seems odd but is there any way to change the guest's password? I know this is paradoxical regarding the nature of guest user but if there is any way please clarify me! -Thanks
I have some questions regarding guest acct. I am using some database security scanning software (again) and it says that guest acct should be dropped from these databases, msdb, pubs, Northwind.
Can i safely say that i can drop the guest acct in pubs and Northwind without any issue?
For msdb, will there be any concerns? How can i verify?
If i just revoke the public permission on guest, is it the same as dropping the user?
Lastly, I see that in all databases, the guest acct exists, but some are of permit and some are of via group membership for the database access column. What is the difference?
Thanks guys. appreciate your help. Audit deadline coming up.. i still have about 20 more audit pts to go... :)
When i restart my database server, guest login is getting deleted automatically from tempdb. it shudn't happen. please can anyone suggest me solution for my problem.
I've used the following: EXEC sp_MSforeachdb 'USE [?]; REVOKE CONNECT FROM GUEST;' GO
And this is what I get: Msg 15182, Level 16, State 1, Line 2 Cannot disable access to the guest user in master or tempdb. Msg 15182, Level 16, State 1, Line 2 Cannot disable access to the guest user in master or tempdb. Msg 15151, Level 16, State 1, Line 2 Cannot find the user 'GUEST', because it does not exist or you do not have permission. Msg 15151, Level 16, State 1, Line 2 Cannot find the user 'GUEST', because it does not exist or you do not have permission. Msg 15151, Level 16, State 1, Line 2 Cannot find the user 'GUEST', because it does not exist or you do not have permission.
When I do this: EXEC sp_MSforeachdb 'USE [?]; SELECT ''[?]'' AS DBName,* FROM sysusers;' GO
The guest sid for all tables shows 0x00, is this the reason I get above errors?
I try to attach a database mdf file to Microsoft SQL server 2014 on Amazon Elastic Computing Cloud, EC2, but fail with the following message, "User 'guest' does not have permission to run DBCC checkprimaryfile. (Microsoft SQL Server, Error: 2571)" The ID I use to REMOTE login has administrator rights and I have chosen to "run as administrator"
I've read a bunch of articles saying you should always remove the guest user from the user databases and model. It seems to me that if a user only has public access then the user can't do anything on the database. If the guest user only has public access to a user database how is it a security threat? I must be missing something.
Can I use osql to known the database install on a server via 'guest'account ?I had over 300 servers with sql server all around France (differentversion : 6.5, 7 and 8)I need to check all database on each servers from my place.Of course, also it would have been to easy, I don't have all 'sa'password...Is that possible to use the 'guest' account to execute a query likethis via osql :Extract.sqlexec sp_helpdbExtract.cmdfor /f "usebackq tokens=1 delims=" %%i IN (ListServer.txt) DOosql-S%%i -Uguest -P -dmaster -i"C:ExtractionExtract.sql"-o"C:Extraction\%%i.rpt"Could I query 'master' with the 'guest' account ?Or any other ideas how to do this by an other way ?Thanks
Hi Guys, We are using MS SQL 2005. I am ask to remove the PUBLIC rights to the objects listed in the following query in the master DB:
SELECT sysusers.name, sysobjects.name,sysprotects.action FROM sysobjects, sysusers, sysprotects WHERE sysobjects.id = sysprotects.id AND sysprotects.uid = sysusers.uid AND sysprotects.protecttype = 205
I keep having the "Cannot find the object [Objectname], because it does not exists or you do not have permission."
How do I create a query to remove the PUBLIC rights at a single run. (There are total of 1660 items, please dun ask me to write the DENY or REVOKE statement 1660 time )
How do I DENY the rights for objects starting with the prefix "dm_" or items like "TABLE PRIVILEGES" Thanks guys Any help on this is greatly appreciated.
I have a situation (on SQL Server 2000 SP3a) where the guest account appears in the list of database users despite the account being removed via sp_dropuser.
The guest account appears in the list of users with Database Access set as 'Via Group Membership'
Once in this state it cannot be removed as sp_drop user will now report:
Server: Msg 15008, Level 16, State 1, Procedure sp_revokedbaccess, Line 36 User 'guest' does not exist in the current database.
My conerns are:
(a) Does this imply any security risks ? (b) How can I remove all reference to the guest account?
I have setup a new SQL 2000 SP4 and internal auditor query about revoke permission from Public role and remove guest from all databases.
1. Can I revoke all default permissions (select on system tables in all DBs) from "Public" role? I am concern any error after such action.
2. I found that guest account in DB -- master, tempdb and msdb. According to Microsoft documents. The account should not remove and can't from master and tempdb. How about msdb?
In SQL2000, when the Guest account was assigned into a role, such as db_datareader, then querying across databases worked just fine.
Specifically: I have a Report Writer application that connects to the SQL Server with a login (ReportRunner) that actually has very limited permissions on a database. The connection is then set (sp_setapprole) to use an Application role (App_RR) that has the necessary permissions. The report-writer app calls a Stored Procedure that gathers data from several other databases (on the same SQL instance). In SQL 2000, accessing these other databases was done through Guest - we assigned Guest to the db_datareader role. All worked fine.
We've just upgraded to SQL2005: reports started failing. It seems that although guest is assigned to the db_datareader role, the permissions for Guest don't allow selecting from tables via the db_datareader role: we've had to GRANT SELECT TO Guest specifically on the tables necessary for the report.
Is anyone aware of a design change withing SQL Server such that the Guest principal's roles are disregarded when assessing permission? Is there a new and better way to structure the permissions?
One of our databases has at some point in its dark past had the owner of the guest schema changed to be a named user, rather than the default guest user. Correcting this feels like it would be easy enough by running the following...
  ALTER AUTHORIZATION ON SCHEMA::guest TO guest but that results in..   Msg 15150, Level 16, State 2, Line 3   Cannot alter the schema 'guest'.
I realise the guest schema is a special one, and cannot be dropped, but I'm not trying to do that. End goal is to export the database to a SQL Azure DB, and this guest schema assignment is blocking that process from completing.
I don't know if this is the right forum to post this question, but here it goes.
We have restored into sql 2005 the database backups made in sql 2000. We connect with trusted connection and application roles, and when trying to execute a transaction to another database (with the guest user), we get a permission error.
Does anyone know if, apart from restoring the databases, we should do something else to get the guest user working the same way as with sql 2000 in the restored databases?