Hello,
Today and Yesterday, someone removed my accountDB from SQL Server 2005.
No one has my Host PW.
How can I protect against that?
Printable View
Hello,
Today and Yesterday, someone removed my accountDB from SQL Server 2005.
No one has my Host PW.
How can I protect against that?
O.o
only localhost, can configured that.
There are just a couple of MS SQL exploits, but MS usually patch any known ones pretty quick... however, if you run your Web services through IIS (or other Windows based web server) there are a number of exploits that allow you to run any program you like under whatever user account the Web Server runs.
As an example, if you log in as "Administrator" to launch the game server and web server, anyone connecting to your web server can run any program you can, and the logs will say "Administrator" did it... which is true.
If you use IIS, it's usually run as a system service under the "SYSTEM" or "Local Service" account, in which case, the log will show that they did it... which is still true.
SYSTEM, and Local Service typically have more privileges than Administrator, in that they can start, stop, install and delete services, drivers and system files without on-screen confirmation.
This is a very good reason not to run your Web Server from the same machine as your Game Server... and to ensure that the Web Server doesn't have any right to modify SQL, files or system registry on your Game Server machine.
But if it can't modify the SQL, how can users register, create Clans and so on? Well, just because the user account the web server is run under doesn't have intrinsic permission, it can still make SQL queries (execute SQL code) via ODBC, MDAC or NCLI... but each SQL connection will have to be authenticated separately, and most of the sites I've seen posted here do assume that, and include a user name, and password in each SQL connection they make.
The only thing you have to worry about then, is setting permissions wrong, and allowing web access to the source of those pages... which of course contains your user name and password.
If you are not confident in your ability to secure the source of your pages, it is possible to place the user name and password in a Registry Key, or other secure location that the script can access via it's server side scripting commands... but if there is any hope what-so-ever that a user can upload a file to your web server, there is still the chance that (through error, or exploit) they may be able to replicate this script, to display that information in their browser. :(:
Long story short... Web and Database security is *BIG* business... people study it for 6 years and get paid well to ensure that banks and businesses don't loose their secure data, and can still access it when they need to with a minimum of effort. Other people spend there entire lives exploiting the slightest thing that may have slipped the first groups notice and posting vast amounts of very sensitive information in very public places, or simply destroying information worth several small island.
Backup regularly and have a good security guy.