You are most likely right that by default MSDE and 2005 Express are secure by default. I'm sorry for the misunderstanding, I thought I made this clear when I said "if the configuration allows the guest account access to the database", but I guess I should have added something about that by default it's secure. I'm sure this was my mistake because I've received at least 3 emails that have pointed this out that SQL server is secure by default. Mostly my comment was in reference to "How many people at home run a fully fledged RDBMS on their XP systems?". I was just trying to point out that more people than we may think _are_ running database servers on their system.
Laters, Dave King James Eaton-Lee wrote: >On Wed, 2005-11-16 at 12:20 -0700, Dave King wrote: > > >>While it still may not be "millions of people" several products come >>bundled with the desktop edition of SQL Server 2000, and I'm sure many >>will come with SQL Server 2005 Express. As far as I can tell by reading >>the paper (but not testing it myself) these are probably vulnerable as >>well if the configuration allows the guest account access to the database. >> >> > >"Microsoft SQL Server 2000 - By default, Microsoft SQL Server 2000 is >not vulnerable. Like Oracle, SQL Server authenticates the client using >the NTLM SSPI AcceptSecurityContext() function and the user is logged on >as Guest, however, as SQL Server requires that a specific user be >granted access, the remote user can log in – by default SQL Server >doesn’t allow Guest access to the database server. If, for whatever >reason, someone has granted either the Guest account or the built-in >Guests group access to the SQL Server then a remote user without valid >credentials will gain access." > >I may be wrong, but I'd assume that the way in which SQLDE authenticates >is similar to MSSQL and therefore isn't affected by this... feel quite >free to correct me, because I don't claim to be an expert on the DE >version of SQL! :) > >This of course wouldn't be the case for databases bundled with insecure >permissions (as vendors are apt to do), and that'd probably be what I'd >worry about most in these situations. > > - James. > > > >>Dave King >>http://www.thesecure.net >> >> >> >>>To be honest I don't think we're talking millions of people. How many >>>people at home run a fully fledged RDBMS on their XP systems? Very few >>>I'd guess. Besides, Simple File Sharing is documented so MS are >>>educating those willing to seek information. >>> >>> >>> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >> > > > > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
