Hi Guys, The script you are after is http://support.microsoft.com/kb/889696/en-us (Run this script at your own risk, and pls test it on a dev server before running on a prod server)
it only works on SQL 2000. I don't think they is one for 2005, haven't had much time to play with 2005 yet. By default guest is assigned to all the DB's hence everyone has access to all the DB on the server if you have access via EM, pls remove Guest from all DB's, now you will see only a list of DB's via EM and wont have access to them. I think they are two system DB's that you cant remove Guest from. Russ what side effects have you come across from running the MS script (hopefully I didn't read your post wrongly)? If anyone can share any info about 2005, that would be great. Joel -----Original Message----- From: Snake [mailto:[EMAIL PROTECTED] Sent: Tuesday, 9 May 2006 8:59 AM To: CF-Talk Subject: RE: Big SQL security hole at Crystaltech? It is nothing to do with guest user, databases do not have this by default, as stated, this is the known default behaviour of SQL server and EM and Microsoft released a stored proc to update themaster table to stop users seeing others users DB's. You can easily test this yourself, by creating a new DB with a new user, then open EM and conenct to the server as that user. Unless oyu have made efforts to modify your SQL server as mentioned, u will see all databases. Snake -----Original Message----- From: Stephen Hait [mailto:[EMAIL PROTECTED] Sent: 08 May 2006 22:52 To: CF-Talk Subject: Re: Big SQL security hole at Crystaltech? I think this occurs when databases have a user with the name of guest. Databases without a user named guest should not have their objects or even their database names exposed. If you have a user in your database named guest, delete that user and your database should not be visible to others thru EM. That's my understanding, anyway. Regards, Stephen On 5/8/06, Matt Robertson <[EMAIL PROTECTED]> wrote: > After signing onto a new client's SQL Server account, first on one dedicated server and then another, I found I could not only see several other databases belonging to other customers... I could click on the Tables tab and see all of their tables. Taking it a step further, I could double-click on a table and pull up its table structure. All of this is in SQL Enterprise Manager. They have two separate accounts and I could see eight other databases that didn't belong to my client on one server and 9 on the other. > > I could not modify the tables or view the data (I didn't even try to Drop of course). > > Poking around a little more, I found I could view all of another db's stored procedures! > > This prompted me to load up a second customer of mine, who also has a SQL account at Crystaltech. Same freaking story! > > Before I completely blow a gasket I wanted to confirm this is as big of a screwup as I think it is. There is an easy fix for this right? I fired up another client and, while I can see other existing db's, if I try and click on anything I get a refusal (error 916. not an authorized user). > > Anyone else with a Crystaltech account... Can you chime in here? Do you see the same things I do? > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Message: http://www.houseoffusion.com/lists.cfm/link=i:4:239871 Archives: http://www.houseoffusion.com/cf_lists/threads.cfm/4 Subscription: http://www.houseoffusion.com/lists.cfm/link=s:4 Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4 Donations & Support: http://www.houseoffusion.com/tiny.cfm/54
