By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,098 Members | 1,922 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,098 IT Pros & Developers. It's quick & easy.

Have you ever worked with a secure MS-SQL serbver/database?

P: n/a
I was just showing a youngster some MS-SQL stuff on a remote Internet
enabled shared server. He logged in with my User Name and Password. I
was busy for a minute. Then he said, "This (stored procedure) doesn't
seem to have anything to do with the db we talked about." I looked at it
and said, "What the hell is that?"
It seems he had clicked on the wrong DB. And it was entirely open to
him, including data edit. We checked the other DBs ... all the same. I
e-mailed tech support and of course they are right on it! Sure ....

So I thought about all the MS-SQL servers I had "experienced" over the
past five years. And it occurred to me that none of them was secure.
Maybe I laughed about these problems when they occurred (as the time the
db administrator told me I couldn't add an employee record and I
duplicated Stella Woo to append her twin sister and room mate, Deja. We
terminated Deja before payroll time. I also moved my nephew from Grade
12 to kindergarten; he was upset when the bus started to come for him
only every other day.)

Reads of rogue VTI files on my Interland Web site used to turn up DB
names, USER IDs and Passwords (not mine; I think mine were reserved for
other sites), cleverly d i s g u i s e d, or u n i c o d e d. I could
never decide which. When "decoded" they worked. When I contacted
Interland about this they said, "No problem, Just delete those files!"
UH HUH! That's about the time I left Interland, also P___ED because of
the difficulty in getting a backup (Whose data is this anyway?).

The db for a rather large US professional organization was another
example of being completely open. I had a job to do for them but
couldn't get the required db clearance (bureaucracy). So I logged in
with "Admin" and "Password" and everything was right there. Also there
were hidden (to the extent they appeared in no sprocs, views,
applications) columns of sexual comments about many of the females at
the head office. YUK ... bad enough to be an asshole but why make it so
obvious?

The system admin for an organization I used to work with consistently
used his last name and "Password" for everything. But the organization
couldn't keep him; he went to IBM for big bucks.

In my latest project I showed up at my prototype user's office the other
day because she had lost her connection. So we used the Access ADP
connection dialog to reconnect. Wham ... 25 Servers available (what kind
of an organization needs 25 servers anyway?). Could we connect to them
all? Yeppers? Could we connect to all the databases on each? Well, we
could to those few we tried. And how many databases does she work with?
Hint ... more than one and less than three.

SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?

Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?
Nov 13 '05 #1
Share this Question
Share on Google+
7 Replies


P: n/a
On Sat, 22 Jan 2005 17:53:53 -0500, in comp.databases.ms-access you
wrote:

(big snip)
Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?

Didn't it come from Sybase?
David

Nov 13 '05 #2

P: n/a
David Schofield wrote:
On Sat, 22 Jan 2005 17:53:53 -0500, in comp.databases.ms-access you
wrote:

(big snip)

Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?


Didn't it come from Sybase?
David


Up 'til around version 4 it was Sybase and licensed to MS to run on
OS/2. I think 4.2 was the one just after the divorce when MS took over
the code and developed it for NT. I don't remember a v5 but 6 & 6.5 were
pretty unstable in terms of disaster recovery (pull the plug, database
gone, suspect, took a team of men in white coats or a pilgrimage to
Mecca to recover it). 7 was much improved and worthy of an "industrial
strength" tag (pull the plug, database recovered), 8 (2000) continues
this, I've not yet used 2003 but hear 2005 has something akin to Novell
SFT. A mirror/failover server support.

--
This sig left intentionally blank
Nov 13 '05 #3

P: n/a
Lyle Fairfield wrote:
SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?


By default everyone except the admins is locked out.
It's more of a pain to secure a database properly to allow the relevant
access than to open it up completely so it's probably down to laziness
on the dba's part.

I'm sure Admin and Password don't work on 'em all :-) Admin isn't even a
built in account, the default admin account is "sa" although with
Windows integrated logon anyone who's a member of Domain Admins would
also be equivalent of "sa".

--
This sig left intentionally blank
Nov 13 '05 #4

P: n/a
Trevor hit the nail on the head. Most likely they're all set up using
Windows integrated security and all the same accounts. Unless users were
excluded, or specific permissions were set up, they'd all have the same
rights everywhere.
--
Arvin Meyer, MCP, MVP
Microsoft Access
http://www.datastrat.com
http://www.mvps.org/access

"Lyle Fairfield" <ly******@yahoo.ca> wrote in message
news:8Q***************@read1.cgocable.net...
I was just showing a youngster some MS-SQL stuff on a remote Internet
enabled shared server. He logged in with my User Name and Password. I
was busy for a minute. Then he said, "This (stored procedure) doesn't
seem to have anything to do with the db we talked about." I looked at it
and said, "What the hell is that?"
It seems he had clicked on the wrong DB. And it was entirely open to
him, including data edit. We checked the other DBs ... all the same. I
e-mailed tech support and of course they are right on it! Sure ....

So I thought about all the MS-SQL servers I had "experienced" over the
past five years. And it occurred to me that none of them was secure.
Maybe I laughed about these problems when they occurred (as the time the
db administrator told me I couldn't add an employee record and I
duplicated Stella Woo to append her twin sister and room mate, Deja. We
terminated Deja before payroll time. I also moved my nephew from Grade
12 to kindergarten; he was upset when the bus started to come for him
only every other day.)

Reads of rogue VTI files on my Interland Web site used to turn up DB
names, USER IDs and Passwords (not mine; I think mine were reserved for
other sites), cleverly d i s g u i s e d, or u n i c o d e d. I could
never decide which. When "decoded" they worked. When I contacted
Interland about this they said, "No problem, Just delete those files!"
UH HUH! That's about the time I left Interland, also P___ED because of
the difficulty in getting a backup (Whose data is this anyway?).

The db for a rather large US professional organization was another
example of being completely open. I had a job to do for them but
couldn't get the required db clearance (bureaucracy). So I logged in
with "Admin" and "Password" and everything was right there. Also there
were hidden (to the extent they appeared in no sprocs, views,
applications) columns of sexual comments about many of the females at
the head office. YUK ... bad enough to be an asshole but why make it so
obvious?

The system admin for an organization I used to work with consistently
used his last name and "Password" for everything. But the organization
couldn't keep him; he went to IBM for big bucks.

In my latest project I showed up at my prototype user's office the other
day because she had lost her connection. So we used the Access ADP
connection dialog to reconnect. Wham ... 25 Servers available (what kind
of an organization needs 25 servers anyway?). Could we connect to them
all? Yeppers? Could we connect to all the databases on each? Well, we
could to those few we tried. And how many databases does she work with?
Hint ... more than one and less than three.

SO back to my question. Have you ever worked with a secure MS-SQL
server/database? How do you know for sure?

Did you ever think that MS-SQL is really a terrorist plant designed to
bring western civilization to a halt? No, REALLY! Did MS ever create
ANYTHING significant of its own? So how do you know for sure where
MS-SQL came from ...? huh?

Nov 13 '05 #5

P: n/a
Lyle Fairfield <ly******@yahoo.ca> wrote in
news:8Q***************@read1.cgocable.net:
Did you ever think that MS-SQL is really a terrorist plant
designed to bring western civilization to a halt? No, REALLY! Did
MS ever create ANYTHING significant of its own? So how do you know
for sure where MS-SQL came from ...? huh?


You're such a complete idiot, Lyle. The whole tone of your post
blames the makers of SQL Server for the mistakes of DBAs who don't
know there asses from a hole in the ground (which is the vast
majority of them).

And you then have the nerve to say that replacing Jet as the default
db engine of Access with the MSDE is a good thing -- don't you
realize that such a thing will vastly increase the amount of
available unsecured data?

Of course, MS has fixed the problem, in that SQL Server 2000 SP 3
won't install without a password on the SA account (even though it
defaults to NT security instead of mixed mode; that is, the SQL
Server is secure even if you switch on SQL Server security). But not
everyone upgrades, for quite obvious reasons.

The fix is quite simple, of course, and the fact that so many
systems are wide open just shows that there are a lot of idiots out
there running major DB sites. Given the lack of understanding of
NTFS security I've seen everywhere, this doesn't surprise me in the
slightest -- the vast majority of people doing Windows system
administration have absolutely no training in real security. All
most of them know is the content of the MCSE exam, which clearly
doesn't do anything to teach good security practices.

--
David W. Fenton http://www.bway.net/~dfenton
dfenton at bway dot net http://www.bway.net/~dfassoc
Nov 13 '05 #6

P: n/a
David W. Fenton wrote:
And you then have the nerve to say that replacing Jet as the default
db engine of Access with the MSDE is a good thing ....


Did I say that? Well, if you say so, it must be true. What with all the
idiots you have identified getting in the way of clever conversation
it's rewarding to discuss things objectively with someone who has such
an urbane demeanor and quiet, self-confident intelligence as you, David.
Perhaps, the Fox network ...?
Nov 13 '05 #7

P: n/a
"Lyle Fairfield" <ly******@yahoo.ca> wrote
Perhaps, the Fox network ...?


Fox network? David? <ROFL>
Nov 13 '05 #8

This discussion thread is closed

Replies have been disabled for this discussion.