Security issue in restore mssql database

Discussion in 'Databases' started by dave, Sep 28, 2010.

  1. I'm hoping you can put my mind at rest here.
    I'm in the SQL Server management tool and connected to my Winhost site.
    I wanted to restore my database from a backup (just to test this), but was shocked to see that I have the option to restore from multiple backups of other user's data.

    Surely this is not correct or secure, I shouldn't even be able to SEE other backups, let alone be allowed to "potentially" restore this data as my own and do with it what I will.

    Even as a "best" case scenario I (and others) can infer quite easily the usernames of the databases, and in some cases it's not too hard to work out the passwords too.

    Can you assure me you will plug this security hole ?

    Thanks

    Dave
     
    Last edited by a moderator: Oct 14, 2015
  2. Just found this quote in another thread from Winhost.

    "The db user name is mapped on the SQL 2008 Server in a way so that it prevents the listing of all the other databases to be seen when you connect to our server using SQL Server 2008 Management Studio. If we mapped the database user name in a way that will work around this DNN error message, everybody will see all the databases active on that SQL 2008 server; as you can guess this will be unacceptable to the majority of our customers."

    Obviously this is not the case.

    Dave
     
  3. Ray

    Ray

    Dave, can you open a ticket to our support department about this. They will check the server and make sure that the permissions are set correctly. Sometimes our customers inadvertently enable the guest account which makes it accessible to other users.

    Make sure in the ticket, you include as much detail as possible. If possible send a screenshot on the ticket. The more information and specifics our support staff get the faster they can react to a problem.
     
  4. It's unlikely that you can see all the databases on the server, but as Ray suggested, if you can send a screenshot we can get a better idea of what's happening.

    It's not unusual to be able to see some of the other user's databases because someone is always enabling guest access, and when you do that, the database is supposed to be visible to everyone. I thought we did an automatic check every day though to disable those though...I know we discussed that option.
     

Share This Page