3.4 Revoke default permissions for the public role

Information

By default, the public role has select permission on many system tables, including the
syslogins table in the master database (though not on the password column).

Since all database users have the public role it is recommended that these permissions
are revoked from all databases.

This setting should be thoroughly tested on non-production servers before it is applied
since additional table privileges may need to be granted to specific users or groups once
public access is revoked.

Rationale:

Low privileged database users can glean useful information from system tables such as
account names and lockout status.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

1. Connect to the ASE server as a user with the sa_role and execute the following SQL
statement for each database listed in sysdatabases (where <Database> should be
substituted for the appropriate database name). For the complete list of tables that
this command affects, see the description of the revoke command in the Sybase ASE
Reference Manual: Commands.

Note that the tables affected differ depending on whether the database is the master
database or not.

use <Database>

revoke default permissions on system tables

See Also

https://workbench.cisecurity.org/files/1612