Post reply

Non-privileged users had the privileges to discover the password used in DTS

  • September 16, 2009 at 4:30 am

    #210919

    During a security audit of SQL Server this was one of the findings.

    Non-privileged users had the privileges to discover the password used in the SQL Data Transformation Services (DTS) Package.

    How can I revoke this permissions from Non-privileged users ?? Could someone shed some light on this ??

    Sanz

  • September 16, 2009 at 4:38 am

    #1054333

    Firstly, Can you elaborate it how come a user who doesn't have privilege is able to discover the DTS password?

    -Forum Etiquette: How to post Performance Problems[/url]

    -Forum Etiquette: How to post data/code to get the best help [/url]

  • September 16, 2009 at 4:41 am

    #1054337

    SanthoshViswanathan (9/16/2009)

    During a security audit of SQL Server this was one of the findings.

    Non-privileged users had the privileges to discover the password used in the SQL Data Transformation Services (DTS) Package.

    How can I revoke this permissions from Non-privileged users ?? Could someone shed some light on this ??

    Can you give more details on how the security audit detected this.

    --------------------------------------------------------------------------------------
    [highlight]Recommended Articles on How to help us help you and[/highlight]
    [highlight]solve commonly asked questions[/highlight]

    Forum Etiquette: How to post data/code on a forum to get the best help by Jeff Moden[/url]
    Managing Transaction Logs by Gail Shaw[/url]
    How to post Performance problems by Gail Shaw[/url]
    Help, my database is corrupt. Now what? by Gail Shaw[/url]

  • September 16, 2009 at 5:16 am

    #1054351

    Security audit was done by a third party... I believe they used some tools for this purpose... In their final output to the management they gave this point that in one SQL Server users other that DBA's had privilege to discover password used in DTS packages...

    Sorry that I am not in a position to elaborate more on this...

    Sanz

  • September 16, 2009 at 5:21 am

    #1054352

    SanthoshViswanathan (9/16/2009)

    Security audit was done by a third party... I believe they used some tools for this purpose... In their final output to the management they gave this point that in one SQL Server users other that DBA's had privilege to discover password used in DTS packages...

    Sorry that I am not in a position to elaborate more on this...

    It can only be possible if that user has access to your SQL Server (may be through the builtin Administrator Group account).

    -Forum Etiquette: How to post Performance Problems[/url]

    -Forum Etiquette: How to post data/code to get the best help [/url]

  • September 16, 2009 at 5:26 am

    #1054355

    I would ask for your money back, if they cannot explain how their "Tool" detected this problem.

    Did they mention which accounts could do this activity

    All I can suggest, is that you check the sql server on which this audit failure occured, and see what logins have elevated priviledges, in particular server roles and roles like db_dtsadmin and the other db_dts roles in the msdb database.

    --------------------------------------------------------------------------------------
    [highlight]Recommended Articles on How to help us help you and[/highlight]
    [highlight]solve commonly asked questions[/highlight]

    Forum Etiquette: How to post data/code on a forum to get the best help by Jeff Moden[/url]
    Managing Transaction Logs by Gail Shaw[/url]
    How to post Performance problems by Gail Shaw[/url]
    Help, my database is corrupt. Now what? by Gail Shaw[/url]

  • September 16, 2009 at 6:33 am

    #1054378

    Vishal,

    What I meant by Non-privileged users was users other than sysadmin users(DBA's)... Ofcourse the Non-privileged users have access to SQL Server...

    Sorry if I was not clear on that... 🙂

    Now as you said that It can be possible if a user has access to SQL Server... Can you please explain how it is possible ??

    Sanz

  • September 16, 2009 at 6:39 am

    #1054381

    SanthoshViswanathan (9/16/2009)

    Vishal,

    What I meant by Non-privileged users was users other than sysadmin users(DBA's)... Ofcourse the Non-privileged users have access to SQL Server...

    Sorry if I was not clear on that... 🙂

    Now as you said that It can be possible if a user has access to SQL Server... Can you please explain how it is possible ??

    As explained by silverfox Please check if that user is a part of roles like db_dtsadmin and the other db_dts roles in the msdb database.

    -Forum Etiquette: How to post Performance Problems[/url]

    -Forum Etiquette: How to post data/code to get the best help [/url]

  • September 16, 2009 at 10:07 am

    #1054577

    SanthoshViswanathan,

    Do you execute packages in agent jobs? If so, is the DTSRun command in plain text or is it encrypted? If a user can see the DTSRun command in the job step, he can see the password.

    Greg

  • September 16, 2009 at 11:09 am

    #1054620

    Thanks to all you guys for every bit of help....

    Finally found out what the exact problem was... The auditors needed the public permission on msdb.dbo.sp_get_dtspackage to be revoked to protect passwords given to DTS packages and the execute permission to be revoked from public on the stored procedures msdb.dbo.sp_enum_dtspackages and msdb.dbo.sp_get_dtspackage

    Sanz

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply