473,725 Members | 2,322 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Have you ever worked with a secure MS-SQL serbver/database?

I was just showing a youngster some MS-SQL stuff on a remote Internet
enabled shared server. He logged in with my User Name and Password. I
was busy for a minute. Then he said, "This (stored procedure) doesn't
seem to have anything to do with the db we talked about." I looked at it
and said, "What the hell is that?"
It seems he had clicked on the wrong DB. And it was entirely open to
him, including data edit. We checked the other DBs ... all the same. I
e-mailed tech support and of course they are right on it! Sure ....

So I thought about all the MS-SQL servers I had "experience d" over the
past five years. And it occurred to me that none of them was secure.
Maybe I laughed about these problems when they occurred (as the time the
db administrator told me I couldn't add an employee record and I
duplicated Stella Woo to append her twin sister and room mate, Deja. We
terminated Deja before payroll time. I also moved my nephew from Grade
12 to kindergarten; he was upset when the bus started to come for him
only every other day.)

Reads of rogue VTI files on my Interland Web site used to turn up DB
names, USER IDs and Passwords (not mine; I think mine were reserved for
other sites), cleverly d i s g u i s e d, or u n i c o d e d. I could
never decide which. When "decoded" they worked. When I contacted
Interland about this they said, "No problem, Just delete those files!"
UH HUH! That's about the time I left Interland, also P___ED because of
the difficulty in getting a backup (Whose data is this anyway?).

The db for a rather large US professional organization was another
example of being completely open. I had a job to do for them but
couldn't get the required db clearance (bureaucracy). So I logged in
with "Admin" and "Password" and everything was right there. Also there
were hidden (to the extent they appeared in no sprocs, views,
applications) columns of sexual comments about many of the females at
the head office. YUK ... bad enough to be an asshole but why make it so
obvious?

The system admin for an organization I used to work with consistently
used his last name and "Password" for everything. But the organization
couldn't keep him; he went to IBM for big bucks.

In my latest project I showed up at my prototype user's office the other
day because she had lost her connection. So we used the Access ADP
connection dialog to reconnect. Wham ... 25 Servers available (what kind
of an organization needs 25 servers anyway?). Could we connect to them
all? Yeppers? Could we connect to all the databases on each? Well, we
could to those few we tried. And how many databases does she work with?
Hint ... more than one and less than three.

SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?

Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?
Nov 13 '05 #1
7 1730
On Sat, 22 Jan 2005 17:53:53 -0500, in comp.databases. ms-access you
wrote:

(big snip)
Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?

Didn't it come from Sybase?
David

Nov 13 '05 #2
David Schofield wrote:
On Sat, 22 Jan 2005 17:53:53 -0500, in comp.databases. ms-access you
wrote:

(big snip)

Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?


Didn't it come from Sybase?
David


Up 'til around version 4 it was Sybase and licensed to MS to run on
OS/2. I think 4.2 was the one just after the divorce when MS took over
the code and developed it for NT. I don't remember a v5 but 6 & 6.5 were
pretty unstable in terms of disaster recovery (pull the plug, database
gone, suspect, took a team of men in white coats or a pilgrimage to
Mecca to recover it). 7 was much improved and worthy of an "industrial
strength" tag (pull the plug, database recovered), 8 (2000) continues
this, I've not yet used 2003 but hear 2005 has something akin to Novell
SFT. A mirror/failover server support.

--
This sig left intentionally blank
Nov 13 '05 #3
Lyle Fairfield wrote:
SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?


By default everyone except the admins is locked out.
It's more of a pain to secure a database properly to allow the relevant
access than to open it up completely so it's probably down to laziness
on the dba's part.

I'm sure Admin and Password don't work on 'em all :-) Admin isn't even a
built in account, the default admin account is "sa" although with
Windows integrated logon anyone who's a member of Domain Admins would
also be equivalent of "sa".

--
This sig left intentionally blank
Nov 13 '05 #4
Trevor hit the nail on the head. Most likely they're all set up using
Windows integrated security and all the same accounts. Unless users were
excluded, or specific permissions were set up, they'd all have the same
rights everywhere.
--
Arvin Meyer, MCP, MVP
Microsoft Access
http://www.datastrat.com
http://www.mvps.org/access

"Lyle Fairfield" <ly******@yahoo .ca> wrote in message
news:8Q******** *******@read1.c gocable.net...
I was just showing a youngster some MS-SQL stuff on a remote Internet
enabled shared server. He logged in with my User Name and Password. I
was busy for a minute. Then he said, "This (stored procedure) doesn't
seem to have anything to do with the db we talked about." I looked at it
and said, "What the hell is that?"
It seems he had clicked on the wrong DB. And it was entirely open to
him, including data edit. We checked the other DBs ... all the same. I
e-mailed tech support and of course they are right on it! Sure ....

So I thought about all the MS-SQL servers I had "experience d" over the
past five years. And it occurred to me that none of them was secure.
Maybe I laughed about these problems when they occurred (as the time the
db administrator told me I couldn't add an employee record and I
duplicated Stella Woo to append her twin sister and room mate, Deja. We
terminated Deja before payroll time. I also moved my nephew from Grade
12 to kindergarten; he was upset when the bus started to come for him
only every other day.)

Reads of rogue VTI files on my Interland Web site used to turn up DB
names, USER IDs and Passwords (not mine; I think mine were reserved for
other sites), cleverly d i s g u i s e d, or u n i c o d e d. I could
never decide which. When "decoded" they worked. When I contacted
Interland about this they said, "No problem, Just delete those files!"
UH HUH! That's about the time I left Interland, also P___ED because of
the difficulty in getting a backup (Whose data is this anyway?).

The db for a rather large US professional organization was another
example of being completely open. I had a job to do for them but
couldn't get the required db clearance (bureaucracy). So I logged in
with "Admin" and "Password" and everything was right there. Also there
were hidden (to the extent they appeared in no sprocs, views,
applications) columns of sexual comments about many of the females at
the head office. YUK ... bad enough to be an asshole but why make it so
obvious?

The system admin for an organization I used to work with consistently
used his last name and "Password" for everything. But the organization
couldn't keep him; he went to IBM for big bucks.

In my latest project I showed up at my prototype user's office the other
day because she had lost her connection. So we used the Access ADP
connection dialog to reconnect. Wham ... 25 Servers available (what kind
of an organization needs 25 servers anyway?). Could we connect to them
all? Yeppers? Could we connect to all the databases on each? Well, we
could to those few we tried. And how many databases does she work with?
Hint ... more than one and less than three.

SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?

Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?

Nov 13 '05 #5
Lyle Fairfield <ly******@yahoo .ca> wrote in
news:8Q******** *******@read1.c gocable.net:
Did you ever think that MS-SQL is really a terrorist plant
designed to bring western civilization to a halt? No, REALLY! Did
MS ever create ANYTHING significant of its own? So how do you know
for sure where MS-SQL came from ...? huh?


You're such a complete idiot, Lyle. The whole tone of your post
blames the makers of SQL Server for the mistakes of DBAs who don't
know there asses from a hole in the ground (which is the vast
majority of them).

And you then have the nerve to say that replacing Jet as the default
db engine of Access with the MSDE is a good thing -- don't you
realize that such a thing will vastly increase the amount of
available unsecured data?

Of course, MS has fixed the problem, in that SQL Server 2000 SP 3
won't install without a password on the SA account (even though it
defaults to NT security instead of mixed mode; that is, the SQL
Server is secure even if you switch on SQL Server security). But not
everyone upgrades, for quite obvious reasons.

The fix is quite simple, of course, and the fact that so many
systems are wide open just shows that there are a lot of idiots out
there running major DB sites. Given the lack of understanding of
NTFS security I've seen everywhere, this doesn't surprise me in the
slightest -- the vast majority of people doing Windows system
administration have absolutely no training in real security. All
most of them know is the content of the MCSE exam, which clearly
doesn't do anything to teach good security practices.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #6
David W. Fenton wrote:
And you then have the nerve to say that replacing Jet as the default
db engine of Access with the MSDE is a good thing ....


Did I say that? Well, if you say so, it must be true. What with all the
idiots you have identified getting in the way of clever conversation
it's rewarding to discuss things objectively with someone who has such
an urbane demeanor and quiet, self-confident intelligence as you, David.
Perhaps, the Fox network ...?
Nov 13 '05 #7
"Lyle Fairfield" <ly******@yahoo .ca> wrote
Perhaps, the Fox network ...?


Fox network? David? <ROFL>
Nov 13 '05 #8

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

55
4484
by: amanda992004 | last post by:
Excluding the factors of the brain capability, i.e I am not asking about this factor, if you are a single, aside from enjoying coding or debugging, how do you make time to eat properly, i.e healthily w/o spending big bucks at special healthy food places and also take care of life's daily chores w/o feeling like a robot. Any time for social activites with people other than programmers? Is feeling like a robot a typical description of a...
4
5330
by: pw | last post by:
Hi, I have month names (coming from a field in a table) as the column heading in an Access 97 crosstab query. It is being sorted alphabetically. This will not do. The only way that I know to get around it is to use month numbers instead, but I'd rather have the names appear. Any ideas?
68
3699
by: Roman Ziak | last post by:
Hello, I just downloaded MS Visual Studio 2005 Express Beta. When I tried to compile existing valid project, I get a lot of warnings like 'sprintf' has been deprecated, 'strcpy' has been deprecated etc. I opened STDIO.H and figured that one has to define a macro _CRT_SECURE_NO_DEPRECATE to stop these warnings. I started to search internet and found few links, and the following proposal
27
4274
by: Chess Saurus | last post by:
I'm getting a little bit tired of writing if (a = malloc(...) == NULL) { // error code } I mean, is it really possible that a malloc call could fail, except in the case of running out of virtual memory? -Chess
2
1156
by: Peter Oliphant | last post by:
Over 6 months ago I reported a bug that manifested itself in a C1026 error. The problem is caused because MS VC++.NET has a bug in it where it thinks it is too complex if a single class has more than 142 STATIC members in it. Microsoft aknowledged the bug was real, and said it was nasty. On the feedback page I reported it they ssaid they would look into it. A few months ago, after it had been 4 months, ABSOLUTELY NOTHING had changed on...
7
2245
by: pthomet | last post by:
Another formulation of the message tittle could be : is it really "safe" (in the business sense) to embed a SSL webservice consumer into any given software, given that any time a proxy server will be encountered, then the call will fail (based on my knowledge) ? ....Different Player, shoot again... I am asking a question which was posted several times in the last months, but never answered; any advice / insight would be appreciated. ...
6
3502
by: Homer J. Simpson | last post by:
Hi all, I have enough experience with HTML/classic ASP to get by, and I'm trying to learn ASP.NET. Traditionally, I've taken the habit of breaking out extra-long CSS files into multiple, smaller ones, and referring to them in my HTML/ASP files on an as-needed basis. Essentially, I've organized things as: /default.asp
6
1868
by: smk17 | last post by:
I've spent the last few minutes searching for this question and I found an answer, but it wasn't quite what the client wanted. I have a simple online form where the user needs to fill out five fields out of nine. The other four are already there and filled out for the user. When they hit submit, all data is sent to us. But, if they desire (for whatever reason) the user can possibly delete what is already there and fill in something...
0
946
by: Blubaugh, David A. | last post by:
To All, Has any one out there ever worked with the Rpyc, which is a remote process call for python? David Blubaugh
0
8748
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
0
9393
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
0
9248
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
9164
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
1
6695
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
6000
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
4775
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
3212
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
2
2622
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.