Author |
Topic |
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2004-11-15 : 13:54:16
|
After all our discussions on it not being possible to have an instance of SQL that the administrator cannot access someone has figured out how. The new version of ACT premium does just that. It cannot be accessed from EM even on the SQL server. The only thing I can think of is that they had to find a way to remove Windows Authentication somehow. JimUsers <> Logic |
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-15 : 13:57:04
|
ummm....huh?Brett8-) |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-11-15 : 14:03:30
|
Same questions though...How does the DBA do DBA work on an instance that he/she can't get into? Who is going to do the SQL backups, integrity checks, optimizations, etc...?Tara |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2004-11-15 : 14:07:29
|
Right TaraAlthough they created a backup and restore in the the front end.Worse is No one has a clue what scripts exist inside it and it requires internet access.Talk about a security risk!JimUsers <> Logic |
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-15 : 14:22:40
|
Well how much database maintenance admin tools did they build in to the "application"Also, the "application" must be communicating to the database using sql server security with a connection pooling id...ie 1 id with obviously with admin rights...which I would say is bad....Hey, just for kicks...try and connect to it with sa and a blank password...do you know the server name?Brett8-) |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2004-11-15 : 15:48:32
|
Not Much in the app. cant schedule backups or anything else for that matter. I can see the instance just can't connect.No joy on SA they aint that stupid.How in the heck do they prevent windows Authentication.JimUsers <> Logic |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-11-15 : 15:49:40
|
They removed the BUILTIN\Administrators group from SQL Server.Tara |
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-15 : 16:07:40
|
Is it a browser based app? Do you see any sql in the url?Brett8-) |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2004-11-15 : 16:18:05
|
Front end looks to be VBJimUsers <> Logic |
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-15 : 16:46:42
|
So it's a client install....Does sql server prompt you to Login?If not the they're using that single id thing.If it does, then you can connect with that id...more likely the former...Do you have access to the code?I'll bet anything that the id and password are hardcodedBrett8-) |
|
|
tkizer
Almighty SQL Goddess
38200 Posts |
Posted - 2004-11-15 : 16:47:55
|
So who is responsible for the DBA work if the database gets corrupted?Tara |
|
|
Kristen
Test
22859 Posts |
Posted - 2004-11-16 : 00:50:41
|
So you'll be getting your network packet sniffer out of the cupboard then, eh? Kristen |
|
|
jen
Master Smack Fu Yak Hacker
4110 Posts |
Posted - 2004-11-16 : 01:00:44
|
so all of the admin tasks are done via the application? which implies that they will be able to know the sa password.i think this is risky stuff (and on the internet?), can't trust them with clients' credit card numbers. So in essence, the DBA becomes the user of the system instead of the admin?--------------------keeping it simple... |
|
|
Wanderer
Master Smack Fu Yak Hacker
1168 Posts |
Posted - 2004-11-16 : 09:01:21
|
As I recall, they felt that they didn;t need a DBA - that DBA's were people who "made work" to have a job, and that they could automate everything a DBA could, or should, do, into the APP.*##* *##* *##* *##* Chaos, Disorder and Panic ... my work is done here! |
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-16 : 09:23:49
|
OK...where's that thread....Was it Maurice?Jim, what's the name of the product?It's 3rd party right?Brett8-) |
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2004-11-16 : 12:18:30
|
Stop the service and copy master.mdf and mastlog.ldf to new files names. Restart the service. Attach the database with the new file names and call it something like master2. Then you can query syslogins and see what accounts are available.Of course if Jim wanted instructions on how to hack SQL Server that's a great way to ask ===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-16 : 12:23:49
|
quote: Originally posted by graz Stop the service and copy master.mdf and mastlog.ldf to new files names. Restart the service. Attach the database with the new file names and call it something like master2. Then you can query syslogins and see what accounts are available.Of course if Jim wanted instructions on how to hack SQL Server that's a great way to ask ===============================================Creating tomorrow's legacy systems today.One crisis at a time.
LOLSQL Server...ummm Security?Brett8-) |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2004-11-16 : 12:47:39
|
Sorry Got bussy.Brett No access to the code, No prompt.Neet Idea Graz But The security Issues were too much so I deleted it.Crap.... My network still sees the instance even though its gone.Now how do I cleanup this. (so much for their uninstall)JimUsers <> Logic |
|
|
Kristen
Test
22859 Posts |
Posted - 2004-11-16 : 14:22:40
|
"Now how do I cleanup this."Its a function in their Admin package <vbg>Kristen |
|
|
JimL
SQL Slinging Yak Ranger
1537 Posts |
Posted - 2004-11-16 : 14:31:37
|
Got it cleaned out now. What a cluster F~@$.Gota find a new SQL based contact Management program.I do not have time to build one just now.JimUsers <> Logic |
|
|
X002548
Not Just a Number
15586 Posts |
Posted - 2004-11-16 : 15:11:35
|
Why not use the one that comes with Access?Brett8-) |
|
|
Next Page
|