« Previous Next »

• 06-22-2008, 9:27 AM

  dstevens10 Joined on 06-22-2008, 2:13 AM Posts 15

  Restriced SQL Server DB connection not being restricted Reply Contact We have an ASP website that connects to a SQL Server 2005 DB.  We use a dedicated user login in the connection string that has restricted rights on the DB (db_datareader and db_denydatawriter rights; furthermore, I've denied SELECT access to all of the system tables (sysobjects) for this user).  Yet, on Friday, we fell victim to a SQL injection where the malicious querystring included "SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE...".  How could this happen using the restricted DB connection for the page?

• 06-22-2008, 11:59 PM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 5,648

  Re: Restriced SQL Server DB connection not being restricted Reply Contact The sql injections are being a pain. When you manually run the statement on the sql server connected to that user, does it execute or are you denied? I'd look at some tools to block sql injection attacks along with updating the code, if possible. http://www.port80software.com/products/serverdefender/ http://www.aqtronix.com/?PageID=99 I've not used either product personally, but they claim to help block sql injections.  I'd test them on a non-prod machine before deploying to a production environment. Steve Schofield Windows Server MVP - ASP.NET / IIS http://www.iislogs.com/steveschofield http://www.IISLogs.com Enterprise Log management solution Install, Configure, Forget Questions on Microsoft SMTP Service - visit http://www.smtp.ws IIS Community Newsletter - visit http://www.iisnewsletter.com

• 06-23-2008, 8:38 AM

  In reply to

  dstevens10 Joined on 06-22-2008, 2:13 AM Posts 15	Re: Restriced SQL Server DB connection not being restricted Reply Contact When I manually run a simple SELECT statement like "SELECT * from sysobjects" directly within SQL Server, it denies the request when I'm logged on as that user.  Any thoughs?

• 06-23-2008, 9:22 AM

  In reply to

  Rovastar Joined on 03-13-2008, 2:00 PM London, UK Posts 3,004	Re: Restriced SQL Server DB connection not being restricted Reply Contact Do the sql server logs confirm that when you access the database via the page that the user is teh same one? http://www.iisportal.com

• 06-23-2008, 9:37 AM

  In reply to

  dstevens10 Joined on 06-22-2008, 2:13 AM Posts 15	Re: Restriced SQL Server DB connection not being restricted Reply Contact good question.  My only interface to manage the DB is via Management Studio.  I'll ask the support team to look into this.

• 06-23-2008, 9:44 AM

  In reply to

  steve schofield Joined on 06-10-2002, 8:54 PM MI Posts 5,648

  Re: Restriced SQL Server DB connection not being restricted Reply Contact if you run a sql profiler trace, it would confirm which user account machine name and database that is executing the code. Here is a quick how-to on sql profiler. http://www.developer.com/db/article.php/3482216 http://www.developer.com/db/article.php/3490086 Steve Schofield Windows Server MVP - ASP.NET / IIS http://www.iislogs.com/steveschofield http://www.IISLogs.com Enterprise Log management solution Install, Configure, Forget Questions on Microsoft SMTP Service - visit http://www.smtp.ws IIS Community Newsletter - visit http://www.iisnewsletter.com