May 7, 2008 at 9:46 am
My company web site had hackers attacked two days in a row. My company does not use window authentication for some reasons and the sign on id that connected between the web pages and the databases had db_datareader permission.
Is that meant the users can read the system tables and system views with db_datareader permission?
The hackers was trying to read the sysobjects and syscolumns tables and I wanted to stop that.
Thanks.
May 7, 2008 at 9:55 am
Using db_datareader is not a good practice. The user logging into the website should only have permissions on the objects it needs access to. By default any user can read from system tables because all users get put into the public role when added to a database and the public role has select on the system objects. In 2005 those are views and functions not tables.
You could put an explicit DENY for the objects you want to protect. Make sure you test this out thoroughly.
Jack Corbett
Consultant - Straight Path Solutions
Check out these links on how to get faster and more accurate answers:
Forum Etiquette: How to post data/code on a forum to get the best help
Need an Answer? Actually, No ... You Need a Question
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply