September 23, 2013 at 9:10 am
sknox (9/23/2013)
So if you don't need the features that rely on guest access, you can disable it in msdb?So the correct answer should be "It depends on the security requirements"?
The correct answer should always be "it depends."
:discuss:
I also think that "it depends". Especially since you can grant connect permissions to the users directly (instead of relying on guest) if you really want to harden the system.
And you have no (known) issues if you do not use SSMS or OCS at all for your super secure production system π
Best Regards,
Chris BΓΌttner
September 23, 2013 at 9:25 am
Christian Buettner-167247 (9/23/2013)
sknox (9/23/2013)
So if you don't need the features that rely on guest access, you can disable it in msdb?So the correct answer should be "It depends on the security requirements"?
The correct answer should always be "it depends."
:discuss:
I also think that "it depends". Especially since you can grant connect permissions to the users directly (instead of relying on guest) if you really want to harden the system.
And you have no (known) issues if you do not use SSMS or OCS at all for your super secure production system π
I'm not sure that the _correct_ answer should always be "it depends" but the _kneejerk_ answer usually is.
I don't like questions with subjective measures like "is it a good idea to ..."
Even "best practices" evolve over time. I know.. QotD is explicitly 'now' but I'm being pedantic. π
btw, I didn't see anyone answer why guest has so much access by default. On the same front, why does "public" even exist? (oh right, else there would be free-for-all naming of the "everyone" or "don't bother me about security" group)
September 23, 2013 at 11:43 am
Having worked in DIACAP environments, the answer is definitely "it depends".
Part of the government SQL Server lockdowns requires revoking CONNECT to guest for all databases, including system databases.
Any users which require functionality listed in 2539091 must be explicitly granted permission to the databases and documented as such.
This is a rather uncommon situation, but still a possibility.
September 23, 2013 at 12:53 pm
Hmm... Got it wrong based on
http://msdn.microsoft.com/en-us/library/ff648664.aspx
which clearly recommends disabling the guest account (Step 4).
September 23, 2013 at 12:57 pm
hmm.. however this link clearly at the top says:
"Retired Content
This content is outdated and is no longer being maintained. It is provided as a
courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published,
but now link to sites or pages that no longer exist."
September 23, 2013 at 1:00 pm
Michael_Garrison (9/23/2013)
hmm.. however this link clearly at the top says:"Retired Content
This content is outdated and is no longer being maintained. It is provided as a
courtesy for individuals who are still using these technologies.
This page may contain URLs that were valid when originally published,
but now link to sites or pages that no longer exist."
Yeah, but it was not deprecated, meaning taken down. I hope it means it is still valid.
September 23, 2013 at 1:34 pm
Revenant (9/23/2013)
Hmm... Got it wrong based onhttp://msdn.microsoft.com/en-us/library/ff648664.aspx
which clearly recommends disabling the guest account (Step 4).
This was also written in 2003 about SQL Server 2000 with .NET 2/VS 2003.
For some reason these documents have not changed much since then.
Would love M$ to release something like this for .Net 4 and SQL 2012 - 2014. π
September 23, 2013 at 1:36 pm
Mike Dougherty-384281 (9/23/2013)
I'm not sure that the _correct_ answer should always be "it depends" but the _kneejerk_ answer usually is.
+10 to that! π
September 24, 2013 at 1:19 am
Good question for core DBA.
---------------------------------------------------
"Thare are only 10 types of people in the world:
Those who understand binary, and those who don't."
September 26, 2013 at 4:16 pm
Good Question. I liked the explanation.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events
October 1, 2013 at 3:32 pm
I disable it for Internet facing databases and grant specific permissions. It's also interesting that the article has not been reviewed in two years and SQL 2012 is not listed in the applies to section.
Joshua Perry
http://www.greenarrow.net
Viewing 11 posts - 16 through 25 (of 25 total)
You must be logged in to reply to this topic. Login to reply