MIcrosft SQLServer Best Practices document on securing SQLServer

I'm chasing after a documetn that was available on one of the Microsoft
websites that was titled somethign like "MS SQL Server Best Practices"
and detailed a nyumber of best practices about securing the server.

Included in this was revoking public access to the system table
objects.

Can someone post the URL where I can pick this up, or drop me a note on
contacting them for a copy of the document?

"byrocat" <bdealhoy@sympatico.ca> wrote in message
news:1122653744.611069.56230@o13g2000cwo.googlegroups.com...
> I'm chasing after a documetn that was available on one of the Microsoft
> websites that was titled somethign like "MS SQL Server Best Practices"
> and detailed a nyumber of best practices about securing the server.
>
> Included in this was revoking public access to the system table
> objects.
>
> Can someone post the URL where I can pick this up, or drop me a note on
> contacting them for a copy of the document?
>

You can find the Microsoft security docs, including a best practices white
paper, here:

[url]http://www.microsoft.com/sql/techinfo/administration/2000/security/default.mspx[/u
rl]

I don't know of any good reason to revoke public permissions on system
tables - it might actually break something if users can't retrieve metadata
for some operations. Books Online states that a REVOKE applied to the public
role applies to all database users, which is probably not desirable in many
cases.

This issue often seems to be raised by IT auditors, probably because it has
somehow became part of an industry-standard audit checklist, but the MS best
practices document says only "do not grant additional permissions to this
role", implying that the existing permissions are fine:

http://www.microsoft.com/technet/pr...n/sp3sec02.mspx

Simon

byrocat (bdealhoy@sympatico.ca)  writes:
> I'm chasing after a documetn that was available on one of the Microsoft
> websites that was titled somethign like "MS SQL Server Best Practices"
> and detailed a nyumber of best practices about securing the server.
>
> Included in this was revoking public access to the system table
> objects.

I would not do this. At least not without extensive testing first.

The fact that all metadata is open to anyone is not entirely
satisfyable, but the opposite is not good either.

In SQL 2005 things are different. Here you can only see metadata
for objects that you have access to. Unfortunately, this important
distinction is not possible to make in SQL 2000.


--
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techin.../2000/books.asp