SQL 2008 R2 - Public role - Access Restriction

  • For SQL Server 2008 R2, we need to,

    1. remove EXECUTE permissions on Extended stored procedures.

    2. if can be done, remove all permssions from Public

    Any ideas?

  • First of all the public role shouldn't have any permissions assigned to it unless someone granted them explicitly. By default the public serverole only has connect permission to the server. The public role has some permmissions granted implicitly through the guest user and you should be very careful removing any of them, because it can mean that users are no longer able to login or see certain server objects. The guest user is needed at least in master and tempdb. You can (and probably should) disable it in all user databases, but better stay away from the system databases.

    Here you can find some more info here

    http://blog.sqlauthority.com/2012/02/24/sql-server-guest-user-and-msdb-database-enable-guest-user-on-msdb-database/

    About the extended procedures I hope you just want to deny exec to certain users or roles. While you can deny exec on quite a lot of them without doing any damage, you should also be aware of the fact that a lot of them are used by SSMS and other tools. For example xp_readerrorlog is needed to view the SQL error log and xp_instance_regread is used during server startup. So if you really want to deny execute on some of them to all users including sysadmins you should be very careful what you do.

    By the way you can disable some XP_procedures using sp_configure like xp_cmdshell and all the SMO and DMO procedures.

    Hope this helps

    [font="Verdana"]Markus Bohse[/font]

  • Markus, thanks for the brief reply.

    1. For Extended SP's, I go to Database Properties->Security-->

    Roles-->Database Roles--> Public--> Properties-->Securables

    Here, I see a number of Extended SP's. I had to select each one and then remove EXECUTE persmission; and this has to be done for all user db's. So, is there a way to do this either by query or GUI to revoke execution permission for all Extended SP's?

    2. For Public role restriction, In Server role public--> Properties-->Permissions -->i see tcpip, named pipes etc only with CONNECT option enabled. So, if i need to remove all permissions for Public, should i go use Server role public or Database role public? In DB role public, as said above, it has execute permissons for most sp, connect etc

  • balasach82 (2/28/2012)


    1. For Extended SP's, I go to Database Properties->Security-->

    Roles-->Database Roles--> Public--> Properties-->Securables

    Here, I see a number of Extended SP's. I had to select each one and then remove EXECUTE persmission; and this has to be done for all user db's. So, is there a way to do this either by query or GUI to revoke execution permission for all Extended SP's?

    2. For Public role restriction, In Server role public--> Properties-->Permissions -->i see tcpip, named pipes etc only with CONNECT option enabled. So, if i need to remove all permissions for Public, should i go use Server role public or Database role public? In DB role public, as said above, it has execute permissons for most sp, connect etc

    About 1) In my user databases the public role only has permissions on some systemviews, but no extended procedures so I suspect someone added these permissions in the model database or after creating of a user database.

    About 2) the permissions you name are necessary for a login to connect to the server.

    You ask which permissions you need to remove, but that really depends on your requirements. As I stated earlier, by default the public role (server or database) only has the permissions which are necessary to connect and view certain server and database objects. If your public role has more permissions I would first investigate why that is the case. Has someone added these permission in the model database, so all new user databases will have them or is it only in certain user databases. In the latter case maybe some application is depending on it?

    [font="Verdana"]Markus Bohse[/font]

Viewing 4 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic. Login to reply