From the OpenHack 4 config and with confirmation of Richard Waymire at Microsoft.
quote:
I only know of ONE - the table master..spt_server_info
This isn't one. It's revoked from public.
quote:
But I think I'm wrong about this, because if I was right, you could just run DENY SELECT ON SPT_SERVER_INFO TO GUEST in the master database if you wanted to lock this down.
In keeping with what I said:
REVOKE ALL ON [dbo].[spt_server_info] to public
The permissions given back to public:
GRANT SELECT on spt_values to public
GRANT EXEC on sp_MSHasDBAccess to public
quote:
By the way, I just used my sandbox server to conduct an interesting test. I turned on 'allow updates' and ripped guest out of sysusers. That was interesting. I think maybe I should've just changed it's status, but that would've required research. Am I the only one who tries stuff like this? Fortunately, I was barely clever enough to back out the cataclysmic problems that I was stupid enough to cause ... and like I said, it was just a sandbox anyway (and I had fresh backups of master!)...
Yup. I spent over a year doing this stuff every waking hour when I was working on a SQL Server Security book with APress (now cancelled, unfortunately, due to market and time constraints). Guest is in every database and the 0 or 1 determines whether it's active.
K. Brian Kelley
http://www.truthsolutions.com/
Author: Start to Finish Guide to SQL Server Performance Monitoring
http://www.netimpress.com/shop/product.asp?ProductID=NI-SQL1
Edited by - bkelley on 07/16/2003 12:07:32 PM
K. Brian Kelley
@kbriankelley