Results 1 to 8 of 8
  1. #1
    Join Date
    Mar 2008
    Posts
    23

    Unanswered: Guest account issue

    Hi,

    I have some questions regarding guest acct. I am using some database security scanning software (again) and it says that guest acct should be dropped from these databases, msdb, pubs, Northwind.

    Can i safely say that i can drop the guest acct in pubs and Northwind without any issue?

    For msdb, will there be any concerns? How can i verify?

    If i just revoke the public permission on guest, is it the same as dropping the user?

    Lastly, I see that in all databases, the guest acct exists, but some are of permit and some are of via group membership for the database access column. What is the difference?

    Thanks guys. appreciate your help. Audit deadline coming up.. i still have about 20 more audit pts to go...

  2. #2
    Join Date
    Jun 2007
    Location
    Ohio, USA
    Posts
    142
    Quote Originally Posted by cghcgh
    Can i safely say that i can drop the guest acct in pubs and Northwind without any issue?
    Why not just drop Pubs and Northwind?

    Quote Originally Posted by cghcgh
    For msdb, will there be any concerns? How can i verify?
    You have a test server, right?

    Quote Originally Posted by cghcgh
    If i just revoke the public permission on guest, is it the same as dropping the user?
    Nope. It restricts it, but it doesn't eliminate it.

    Quote Originally Posted by cghcgh
    Lastly, I see that in all databases, the guest acct exists, but some are of permit and some are of via group membership for the database access column. What is the difference?
    Not sure what you mean by group membership in this case. Are you talking about Windows groups? Database Roles?

    Have a look at this, as well. This is what I use for database security. May be overkill for your purposes, but it makes a good read anyway.

    http://iase.disa.mil/stigs/stig/

    Good luck on your audit.
    David Maxwell
    Data Integrity? Yeah, I've heard of that...

  3. #3
    Join Date
    Mar 2008
    Posts
    23
    Hi, thanks for the reply.

    We have test servers. but i only support the database portion and does not support the applications that uses the databases. Therefore i cant really verify. Is there any way which i can verify?

    For the guest acct, if i just revoke the public permission instead of dropping, it's easier to revert back than to create, i pressume

    Lastly, when you open up enterprise manager and goes into the database and then users, it will show you the database users for that database, there will be a daabase access column. I just dont quite understand why some database shows 'permit' whereas some show 'via group membership' . What's the diff?

  4. #4
    Join Date
    Jun 2007
    Location
    Ohio, USA
    Posts
    142
    Quote Originally Posted by cghcgh
    We have test servers. but i only support the database portion and does not support the applications that uses the databases. Therefore i cant really verify. Is there any way which i can verify?
    I would take a profiler trace while the applications are running and see how they access the databases. End user applications don't normally access msdb, though it's not unheard of. If they are accessing msdb, they definitely shouldn't be doing it as 'guest'.

    FYI: I think this may more accurately address your concerns:

    http://forums.microsoft.com/TechNet/...1597&SiteID=17

    -D.
    David Maxwell
    Data Integrity? Yeah, I've heard of that...

  5. #5
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    Revoking permissions from public may be harder to restore, if you need to. You would have to record what you remove. It is much easier to just re-add the guest user.

  6. #6
    Join Date
    Jun 2007
    Location
    Ohio, USA
    Posts
    142
    I think he meant removing 'guest' from the public role. At least, that's what I took it to mean.
    David Maxwell
    Data Integrity? Yeah, I've heard of that...

  7. #7
    Join Date
    Jan 2003
    Location
    Massachusetts
    Posts
    5,800
    Provided Answers: 11
    You can try to do that, but public is just that: public. Everyone is a member of public. Only way to get out of public is to be out of the database.

  8. #8
    Join Date
    Jun 2007
    Location
    Ohio, USA
    Posts
    142
    True. Sorry for the confusion.
    David Maxwell
    Data Integrity? Yeah, I've heard of that...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •