liyihongcug
新新人类
帖子
6
精华
0
无忧币 8
积分 18
阅读权限 20
|
发表于:2008-4-16 14:51
标题:如何解决以下数据库安全问题
<上一帖 |
下一帖>
No
Title
Comply
Comment
4
The SQL Server Agent account is a not a member of the local or domain administrator group.
The service account (SQL Server Agent) is not granted interactive logon right,
but requires the following rights
A) Act as part of the operating system
B) Replace a process-level token
C) Log on as a service
D) Access this computer from network
E) May require the logon as a batch job right
No
The administrator or system accounts shall not be used to run any MSSQL services.
We make the SQL Server Agent Automatically start.
- It is not an automatically start issue, but the account used to run the SQL services. Please create a user account to run the SQL services and grant the user right assignment as mentioned in the title.
6
SQL Server object privileges include SELECT,INSERT, UPDATE, DELETE, REFERENCES, and EXECUTE.No object privilege shall be granted to PUBLIC or GUEST
Findings :
No
use databaseName
select sysusers.name, sysobjects.name, sysprotects.action from sysobjects, sysusers, sysprotects
where sysobjects.id=sysprotects.id and sysprotects.uid = sysusers.uid and
sysprotects.protecttype=205 and (sysprotects.action=26 or sysusers.name='public' or
sysusers.name='guest' or sysobjects.type='S')
The guest is disable. Change public to public owner.
- All the user or group needs to be removed from the system objects base on the database and object privileges mentioned in the text file.
8
System-defined extended stored procedures are restricted to authorised DBAs only
Findings :
public xp_regread
No
1) select sysusers.name, sysobjects.name from sysobjects, sysusers, sysprotects where
sysobjects.id=sysprotects.id and sysprotects.uid = sysusers.uid and sysprotects.protecttype=205
and sysobjects.name like 'sp_oa%'
2) select sysusers.name, sysobjects.name from sysobjects, sysusers, sysprotects where
sysobjects.id=sysprotects.id and sysprotects.uid = sysusers.uid and sysprotects.protecttype=205
and sysobjects.name like 'xp_reg%'
If results are returned, ensure that these procedures are not granted to non DBA users.
We don’t create this stored procedure.
And we make no change to it as it belongs to system level.
- Understood that this is default settings for SQL server but based on security concern, public group needs to be removed from all system objects.
9
The following stored procedures shall be restricted to DBA Only
Findings :
public xp_getnetname &! nbsp;
public xp_dirtree &nbs! p;
public xp_fixeddrives !
public xp_sscanf ! ;
public xp_revokelogin !
public xp_grantlogin !
public xp_sprintf &nb! sp;
public xp_regread
No
Can be checked by the following query.
select sysusers.name, sysobjects.name from sysobjects, sysusers, sysprotects where
sysobjects.id=sysprotects.id and sysprotects.uid = sysusers.uid and sysprotects.protecttype=205 and
(sysobjects.name = 'sp_OACreate'OR sysobjects.name = 'sp_OADestroy' OR sysobjects.name = 'sp_OAGetErrorInfo' OR
sysobjects.name = 'sp_OAGetProperty' OR sysobjects.name = 'sp_OAMethod' OR sysobjects.name = 'sp_OASetProperty' OR
sysobjects.name = 'sp_OAStop' OR sysobjects.name = 'sp_sdidebug' OR sysobjects.name = 'xp_availablemedia' OR
sysobjects.name = 'xp_cmdshell' OR sysobjects.name = 'xp_deletemail' OR sysobjects.name = 'xp_dirtree' OR
sysobjects.name = 'xp_dropwebtask' OR sysobjects.name = 'xp_dsninfo' OR sysobjects.name = 'xp_enumdsn' OR
sysobjects.name = 'xp_enumerrorlogs' OR sysobjects.name = 'xp_enumgroups' OR sysobjects.name = 'xp_enumqueuedtasks' OR
sysobjects.name = 'xp_eventlog' OR sysobjects.name = 'xp_findnextmsg' OR sysobjects.name = 'xp_fixeddrives' OR
sysobjects.name = 'xp_getfiledetails' OR sysobjects.name = 'xp_getnetname' OR sysobjects.name = 'xp_grantlogin' OR
sysobjects.name = 'xp_logevent' OR sysobjects.name = 'xp_loginconfig' OR sysobjects.name = 'xp_logininfo' OR
sysobjects.name = 'xp_regread' OR sysobjects.name = 'xp_perfend' OR sysobjects.name = 'xp_perfmonitor' OR
sysobjects.name = 'xp_perfsample' OR sysobjects.name = 'xp_perfstart' OR sysobjects.name = 'xp_readerrorlog' OR
sysobjects.name = 'xp_readmail' OR sysobjects.name = 'xp_revokelogin' OR sysobjects.name = 'xp_runwebtask' OR
sysobjects.name = 'xp_schedulersignal' OR sysobjects.name = 'xp_sendmail' OR sysobjects.name = 'xp_servicecontrol' OR
sysobjects.name = 'xp_snmp_getstate' OR sysobjects.name = 'xp_snmp_raisetrap' OR sysobjects.name = 'xp_sprintf' OR
sysobjects.name = 'xp_sqlinventory' OR sysobjects.name = 'xp_sqlregister' OR sysobjects.name = 'xp_sqltrace' OR
sysobjects.name = 'xp_sscanf' OR sysobjects.name = 'xp_startmail' OR sysobjects.name = 'xp_stopmail' OR
sysobjects.name = 'xp_subdirs' OR sysobjects.name = 'xp_unc_to_drive' OR sysobjects.name = 'xp_dirtree'
)
If results are returned, ensure that these procedures are not granted to non DBA users.
We don’t create this stored procedure.
And we make no change to it as it belongs to system level.
- Understood that this is default settings for SQL server but based on security concern, public group needs to be removed from all system objects.
10
ODBC trace library (odbctrac.dll) has been removed from production systems
No
Check on os level
We found the file exist in folder
C:\winnt\system32\
- Yes, it shall be removed or deleted.
|
网络工程师到底该不该去考CCIE认证? |
|
| 诚征版主 | 版主堂 | 意见建议 | 大史记 | 论坛地图