Yep, I trailed through the 12 Billion lines of code :-) LOL Yep, I have disabled full unrestricted all access to the System SP's at present by logins who are not members of the local administrator's group for the MSSQLServer service, users who are not members of the sysadmin fixed server role cannot execute xp_cmdshell.
Thanks for all the advice and heads up though.....It good to see that people are aware. -----Original Message----- From: Dave Watts [mailto:[EMAIL PROTECTED]] Sent: 22 January 2003 11:00 To: CF-Talk Subject: RE: Goodbye cruel world > Your are all talking about past stuff - which has already > been documented as being insecure and as a result is the > first thing you fix on a new machine. So, I take it that you've completed your audit of the Windows and IIS source code, and you've found no other vulnerabilities. That's good to know! Seriously, there are new issues found on a regular basis - there are plenty of smart people banging on Windows and IIS to see what falls out. Configuring a server for security isn't just a matter of making sure all the patches are installed - you have to configure the server defensively, so that when some new vulnerability comes up, you're less likely to be vulnerable since you've disabled that functionality, or applied more restrictive ACLs, or whatever. > I doubt any URL data will be able to fire off an SP, unless > it knew the name, username and password of the sp etc..... Well, if you're running SQL Server, you probably have all of the built-in SQL Server stored procedures. My favorite is xp_cmdshell, which lets your SQL statement open a command processor on your database server - handy for FTPing whatever files you want to install onto your database server, among other things. > I heed your warnings, but I can safely say that my machine > is at present 100% secure. So, you've unplugged it and turned it off. Yes, now it's secure, in that case. If not, you can't safely say anything of the sort - that would be either ignorant or hubristic. No server is 100% secure - most of us would happily settle for adequate security, or some level of due diligence. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Archives: http://www.houseoffusion.com/cf_lists/index.cfm?forumid=4 Subscription: http://www.houseoffusion.com/cf_lists/index.cfm?method=subscribe&forumid=4 FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Structure your ColdFusion code with Fusebox. Get the official book at http://www.fusionauthority.com/bkinfo.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
