Resitricting users from seeing other databases
-
Hi everybody, I'm fairly new to SQL server but i've been asked to set up a user account so that he\she can access their database remotely.
I have managed to set this up fine however i have a question. Currently the user is able to see every other database on the server, they cannot edit\access the databases they do not own but surely this is still a bit of a security risk? An attacker would have one less hurdle to cross if they knew the name of the database. (Paranoid?)
At this point I fear that i might have people in fits of laughter by now but i've tried to look and see if theres a setting somewhere do restrict this information being passed on but i can't find it... Could someone enlighten me
Another query i have is whether it is safe or not that the user is able to get access to what i assume to be system databases 'master' and 'tempdb'. Is this ok? What are these tables?
Thanks in advance!!
Tom
-
This was removed by the editor as SPAM
-
Hi
Here is an arcticle about preventing users from viewing databases that don't belong to them.
http://support.microsoft.com/default.aspx/kb/889696
After you apply the modified version of sp_MSdbuseraccess stored procedure, the user can only see the databases that they have access to in SQL Server Enterprise Manager.
Hope this helps
-
Another option is to create a second instance of SQL Server and have that user's database on that instance.
-SQLBill
-
In SQL Server 2005 users are not able to list objects that they do not have permissions on. I'd check the group memberships of this user.
Master is now an interface for users to interact with and system objects and user-database specific objects are stored in a hidden resource database.
Tempdb is used for calculations, a scratch-pad if you like - everything here is transitory.
Hope this explains things a bit.
Viewing 5 posts - 1 through 4 (of 4 total)
You must be logged in to reply to this topic. Login to reply