473,394 Members | 1,224 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,394 software developers and data experts.

Database security (non-existent?)

I recently downloaded and install SQLServer Express. I am considering
using it as the backend db for my app (i.e. moving from the current
PostgreSQL).

I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a
*HUGE* security flaw - unless (I hope), I have missed something.

Also, does anyone know where I can get help at the command line, so I
can interrogate the server (e.g. viewing list of available dbs, tables
in a db, db/view schema etc).

Last but not the least, is there a frontend for SSE?
Jun 27 '08 #1
3 1280
"Annonymous Coward" <me@home.comwrote in message
news:j4******************************@bt.com...
I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a *HUGE*
security flaw - unless (I hope), I have missed something.
This is not a security flaw. When you run sqlcmd without providing the
user/password via the -U/-P parameters, sqlcmd by default uses a trusted
connection with your Windows account (which is the -E option).

See more details on all options here:
http://msdn.microsoft.com/en-us/library/ms165702.aspx
Also, does anyone know where I can get help at the command line, so I can
interrogate the server (e.g. viewing list of available dbs, tables in a
db, db/view schema etc).
SQL Server Books Online is the complete documentation for SQL Server.
http://technet.microsoft.com/en-us/s.../bb428874.aspx

Here is direct link to the topic on how to query the system catalog:
http://msdn.microsoft.com/en-us/library/ms345522.aspx

And the system catalog map download:
http://www.microsoft.com/downloads/d...displaylang=en

Last but not the least, is there a frontend for SSE?
SQL Server Management Studio Express:
http://www.microsoft.com/downloads/d...displaylang=en
HTH,

Plamen Ratchev
http://www.SQLStudio.com

Jun 27 '08 #2
"Annonymous Coward" <me@home.comwrote in message
news:j4******************************@bt.com...
>I recently downloaded and install SQLServer Express. I am considering using
it as the backend db for my app (i.e. moving from the current PostgreSQL).

I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a *HUGE*
security flaw - unless (I hope), I have missed something.
Umm, not really. This is by design. Especially if you have any sorts of
admin capabilities on your box.

BTW, based on this and your other post, I would highly recommend you pick up
a book (check out Microsoft Press) on SQL Server 2005 security. There's far
to much to learn than you can adequately learn in a newsgroup like this.

Simply put, done correctly SQL Server 2005 is pretty much as secure as
anything else out ther.e

Also, does anyone know where I can get help at the command line, so I can
interrogate the server (e.g. viewing list of available dbs, tables in a
db, db/view schema etc).

Last but not the least, is there a frontend for SSE?
Yes. I don't have the URL off-hand thouhg.
--
Greg Moore
SQL Server DBA Consulting Remote and Onsite available!
Email: sql (at) greenms.com http://www.greenms.com/sqlserver.html
Jun 30 '08 #3
"Greg D. Moore (Strider)" <mo****************@greenms.comwrote in message
news:SI******************************@earthlink.co m...
"Annonymous Coward" <me@home.comwrote in message
news:j4******************************@bt.com...
>>I recently downloaded and install SQLServer Express. I am considering
using it as the backend db for my app (i.e. moving from the current
PostgreSQL).

I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a
*HUGE* security flaw - unless (I hope), I have missed something.

Umm, not really. This is by design. Especially if you have any sorts of
admin capabilities on your box.

BTW, based on this and your other post, I would highly recommend you pick
up a book (check out Microsoft Press) on SQL Server 2005 security.
There's far to much to learn than you can adequately learn in a newsgroup
like this.

Simply put, done correctly SQL Server 2005 is pretty much as secure as
anything else out ther.e
[ SNIP ]

I would also recommend a book. However, reading articles like
http://technet.microsoft.com/en-us/l.../ms345149.aspx is certainly a good
start.

AHS
Jul 2 '08 #4

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

0
by: valexena | last post by:
What are two components of the Oracle database security model? -- Posted via http://dbforums.com
4
by: Ant | last post by:
I am trying to apply security to a database I have just finished. The application is split into a back end of tables and a front end of forms etc. I need some users to have access to forms based on...
5
by: Paul .V. | last post by:
I have read many long articles in this group about securing my database for distribution. This is the advise I have taken: 1. Hardcoded the purchasing company's name into the program. The...
4
by: Pecanfan | last post by:
I've got quite a large database which is totally form-driven at the moment. I now need to allow multiple users access to various parts of it and, frankly, I'm not prepared waste my time with...
1
by: Hot Tracker | last post by:
Looking for a consultant with solid experience in application and database security for a project in the GTA. CONTACT --------------------------------------------------- Please send your resume...
29
by: Martin | last post by:
Sorry, the prior message was multi-posted. Here's a cross-posted version. Please disregard the other one. Is there a way to create and encrypted database file? What do people do when data...
5
by: isideveloper | last post by:
I'm building a new C# web application that will provide my company some administrative operations that were previously only completed by tweaking the data in the database. 1. Encrypted password...
3
by: kiplinghfx22 | last post by:
Hello, I have designed an access database, but it doesn't have any security or passwords. I would like to set it up so that I am the only one who can write queries, and create reports. There...
1
by: Prasu TKP | last post by:
I have developed an Access Application and given to the pople to work through 'Share folder'. There are six people using every day. I have disabled the byepass key also. Very recently one peson...
0
by: gerryis2000 | last post by:
Hi, i used the security wizard to set security on a adatabase. when i copied it to another computer, the database refused to open though i had copied all the security file, backup file and the...
0
by: Charles Arthur | last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
0
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
0
BarryA
by: BarryA | last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
1
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
0
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
0
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
0
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
0
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
0
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.