469,607 Members | 1,953 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,607 developers. It's quick & easy.

Database security (non-existent?)

I recently downloaded and install SQLServer Express. I am considering
using it as the backend db for my app (i.e. moving from the current
PostgreSQL).

I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a
*HUGE* security flaw - unless (I hope), I have missed something.

Also, does anyone know where I can get help at the command line, so I
can interrogate the server (e.g. viewing list of available dbs, tables
in a db, db/view schema etc).

Last but not the least, is there a frontend for SSE?
Jun 27 '08 #1
3 1213
"Annonymous Coward" <me@home.comwrote in message
news:j4******************************@bt.com...
I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a *HUGE*
security flaw - unless (I hope), I have missed something.
This is not a security flaw. When you run sqlcmd without providing the
user/password via the -U/-P parameters, sqlcmd by default uses a trusted
connection with your Windows account (which is the -E option).

See more details on all options here:
http://msdn.microsoft.com/en-us/library/ms165702.aspx
Also, does anyone know where I can get help at the command line, so I can
interrogate the server (e.g. viewing list of available dbs, tables in a
db, db/view schema etc).
SQL Server Books Online is the complete documentation for SQL Server.
http://technet.microsoft.com/en-us/s.../bb428874.aspx

Here is direct link to the topic on how to query the system catalog:
http://msdn.microsoft.com/en-us/library/ms345522.aspx

And the system catalog map download:
http://www.microsoft.com/downloads/d...displaylang=en

Last but not the least, is there a frontend for SSE?
SQL Server Management Studio Express:
http://www.microsoft.com/downloads/d...displaylang=en
HTH,

Plamen Ratchev
http://www.SQLStudio.com

Jun 27 '08 #2
"Annonymous Coward" <me@home.comwrote in message
news:j4******************************@bt.com...
>I recently downloaded and install SQLServer Express. I am considering using
it as the backend db for my app (i.e. moving from the current PostgreSQL).

I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a *HUGE*
security flaw - unless (I hope), I have missed something.
Umm, not really. This is by design. Especially if you have any sorts of
admin capabilities on your box.

BTW, based on this and your other post, I would highly recommend you pick up
a book (check out Microsoft Press) on SQL Server 2005 security. There's far
to much to learn than you can adequately learn in a newsgroup like this.

Simply put, done correctly SQL Server 2005 is pretty much as secure as
anything else out ther.e

Also, does anyone know where I can get help at the command line, so I can
interrogate the server (e.g. viewing list of available dbs, tables in a
db, db/view schema etc).

Last but not the least, is there a frontend for SSE?
Yes. I don't have the URL off-hand thouhg.
--
Greg Moore
SQL Server DBA Consulting Remote and Onsite available!
Email: sql (at) greenms.com http://www.greenms.com/sqlserver.html
Jun 30 '08 #3
"Greg D. Moore (Strider)" <mo****************@greenms.comwrote in message
news:SI******************************@earthlink.co m...
"Annonymous Coward" <me@home.comwrote in message
news:j4******************************@bt.com...
>>I recently downloaded and install SQLServer Express. I am considering
using it as the backend db for my app (i.e. moving from the current
PostgreSQL).

I run sqlcmd without specifying any username or pwd, and I was suprised
that I had access to the 'server', and could create and drop databses
(admittedly I dropped only the dbs I created). This appears to be a
*HUGE* security flaw - unless (I hope), I have missed something.

Umm, not really. This is by design. Especially if you have any sorts of
admin capabilities on your box.

BTW, based on this and your other post, I would highly recommend you pick
up a book (check out Microsoft Press) on SQL Server 2005 security.
There's far to much to learn than you can adequately learn in a newsgroup
like this.

Simply put, done correctly SQL Server 2005 is pretty much as secure as
anything else out ther.e
[ SNIP ]

I would also recommend a book. However, reading articles like
http://technet.microsoft.com/en-us/l.../ms345149.aspx is certainly a good
start.

AHS
Jul 2 '08 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by Ant | last post: by
5 posts views Thread by Paul .V. | last post: by
29 posts views Thread by Martin | last post: by
reply views Thread by devrayhaan | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.