Post reply

System Stored Procedures

  • November 17, 2003 at 10:51 am

    #83556

    Can anyone suggest a list of system stored procedures that should have restricted access to users for better security such as denying access to xp_cmdshell? I am trying to lock down my database as much as possible but am not sure which system stored procedures are required and which are not. Any help would be greatly appreciated.

  • November 17, 2003 at 12:38 pm

    #482287

    There's a good list here:

    http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=3&tabid=4

    --Jonathan



    --Jonathan

  • November 17, 2003 at 12:43 pm

    #482289

    Hi Scout7,

    You may wish to visit http://www.sqlsecurity.com.

    The link below will take you to a SQL Server lock down script written by Chip Andrews. The script was written to "provide administrators (SQL Server or otherwise) a baseline --lockdown configuration for new installations. These settings should disable potentially dangerous

    --functionality while leaving the server operational and still capabable of Service Pack and hotfix --installations."

    You will need to edit the script prior to using it. You may wish to use the script in whole or in part.

    May I suggest that you research each stored procedure's full functionality as it relates to your server(s) usage prior to adjusting or revoking permissions on your server(s).

    :

    http://www.sqlsecurity.com/scripts/lockdown.sql

    Good Luck,

    SJaxon

  • November 18, 2003 at 1:05 am

    #482366

    You might want to search to web for OpenHack 2002 app source code (675 KB).zip

    It contains documents where Microsoft showed an absolute minimum privileged system.

    If you can't find it, contact me offline.

    Frank

    http://www.insidesql.de

    http://www.familienzirkus.de

    Edited by - Frank Kalis on 11/18/2003 01:05:56 AM

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • November 18, 2003 at 3:37 am

    #482388

    Thank you all for your quick replies, you have all been very helpful.

  • November 21, 2003 at 2:19 pm

    #483236

    Problem with OpenHack 4 is it is an unsupported config, so far as Microsoft is concerned. The list from SQL Security is probably the best bet. OpenHack 4's config breaks the ability to do a lot of things... apply service packs, completely manage through EM, etc.

    K. Brian Kelley, GSEC

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/

    K. Brian Kelley
    @kbriankelley

  • November 23, 2003 at 2:11 pm

    #483266

    quote:

    Problem with OpenHack 4 is it is an unsupported config, so far as Microsoft is concerned. The list from SQL Security is probably the best bet. OpenHack 4's config breaks the ability to do a lot of things... apply service packs, completely manage through EM, etc.

    K. Brian Kelley, GSEC

    well, nothing comes for free

    What is this GSEC?

    Frank

    http://www.insidesql.de

    http://www.familienzirkus.de

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

  • November 23, 2003 at 2:32 pm

    #483267

    GSEC stands for GIAC Security Essentials Certification and it's a vendor-independent security certification. GIAC stands for Global Information Assurance Certification and there are several tracks. GSEC is the generic security one. GIAC is the certification series from the SANS institute. SANS is an acronym for SysAdmin, Audit, Network, Security. So there you have the acronym "farm."

    The GSEC certification requirements begin with a practical of at least 12 pages on an information security topic. It must have a requisite number of sources, etc., and is graded pass/fail. Once a GSEC candidate passes the practical, he or she has two certification tests to pass in order to complete the GSEC. Interestingly enough, my GSEC practical is on permissions the public role has. When it posts to the SANS GIAC page, I'll share the link. I'm also breaking it down into a series of articles.

    K. Brian Kelley, GSEC

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/

    K. Brian Kelley
    @kbriankelley

  • November 24, 2003 at 1:08 am

    #483277

    quote:

    GSEC stands for GIAC Security Essentials Certification and it's a vendor-independent security certification. GIAC stands for Global Information Assurance Certification and there are several tracks. GSEC is the generic security one. GIAC is the certification series from the SANS institute. SANS is an acronym for SysAdmin, Audit, Network, Security. So there you have the acronym "farm."

    The GSEC certification requirements begin with a practical of at least 12 pages on an information security topic. It must have a requisite number of sources, etc., and is graded pass/fail. Once a GSEC candidate passes the practical, he or she has two certification tests to pass in order to complete the GSEC. Interestingly enough, my GSEC practical is on permissions the public role has. When it posts to the SANS GIAC page, I'll share the link. I'm also breaking it down into a series of articles.

    K. Brian Kelley, GSEC

    http://www.truthsolutions.com/

    Author: Start to Finish Guide to SQL Server Performance Monitoring

    http://www.netimpress.com/

    Woo, sounds like a big CONGRATS to you !!!!

    Frank

    http://www.insidesql.de

    http://www.familienzirkus.de

    --
    Frank Kalis
    Microsoft SQL Server MVP
    Webmaster: http://www.insidesql.org/blogs
    My blog: http://www.insidesql.org/blogs/frankkalis/[/url]

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply