07 April 2012

SQL Injection - Problem Access Privileges

Problem : Access Privileges
* Application is accessing database with:
- “sa” account
- ASP.NET worker process account (added as admin)
- High-privilege user account

Solution: Limit Privileges
- Application should have least necessary privileges to access database
- Grant ASP.NET account access to database using an alias
- Create an account that has minimal privileges (EXEC-only)