guest user - how to delete

icemel · Jun 8, 2006

Hi,

I notice that in all my databases, there is a "guest" user account with no associated login. It is "via group membership" (which group I'm not sure it's referring to - perhaps BUILTIN/Administrators, I don't know - any ideas?)

I can't delete this user directly. How can I remove the "guest" user?

Thanks

mrdenny · Jun 8, 2006

You shouldn't remove the guest user. Without the guest account your users Enterprise Managers won't function as expected, and they can receive some very funky errors.

The guest account should be a member of the public role in every database on the server. This allows enterprise manager to see if the user has access to the database.

The guest account should never be added to any other roles, and no rights should be granted to the public role.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]

http://www.mrdenny.com

icemel · Jun 9, 2006

hi mrdenny,

just a question

The guest account should be a member of the public role in every database on the server. This allows enterprise manager to see if the user has access to the database.

Not sure what you mean by "if the user has access to the database" - which user are you referring to?

Thanks

mrdenny · Jun 9, 2006

Any other user on the server.

Basically when a non-sysadmin user open Enterprise Manager it opens each database via the guest access and checkes the sysusers table and sees if the user has access.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]

http://www.mrdenny.com

icemel · Jun 9, 2006

good to know, thanks

mrdenny · Jun 9, 2006

no problem.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]

http://www.mrdenny.com

mutley1 · Jun 15, 2006

Hi Denny,

I used to use a security tool called NGS Squirrel which flagged the guest account existance in databases as a high security alert and that it should be removed, although I think it was recommending removing it from just the master and msdb.

MSDB Database
Issue path: /10.xx.xx.xxx/Problems/Permissions/Guest Access/MSDB Database
Severity: High
Details: Guest account is enabled for the MSDB Database. Permitting guest access is not generally recommended.
Results:
name hasdbaccess
guest 1

I'm not doubting your knowledge, just would like futher information if you have any!

thanks,

M.

mutley1 · Jun 15, 2006

Sorry - I jusr re-read your post....it is only if a non-sysadmin uses Enterprise Manager. So it is safe to remove if we are only sysadmins using EM? That is definately the case here...

mrdenny · Jun 15, 2006

If only sysadmins use EM, and only sysadmins need to be able to access master and msdb then yes it should be save to remove.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]

http://www.mrdenny.com

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

guest user - how to delete

icemel

MIS

mrdenny

Programmer

icemel

MIS

mrdenny

Programmer

icemel

MIS

mrdenny

Programmer

mutley1

MIS

mutley1

MIS

mrdenny

Programmer

Similar threads

Part and Inventory Search

Sponsor