Recently, while I visited a new customer, someone rushed to the room shouting – someone had hacked our site. Even though this was not the purpose of my visit, I tried to find a first aid to this situation. It was clear that the hacker had used SQL Injection to add update statements to simple selects. After short review I found out that the service that run ASP code was using sysadmin privileges L . The solution was simple; we reduce the privileges of this account by adding the account to the db_datareader...