Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Prevent users from impersonating sysadmin using runas /netonly Expand / Collapse
Author
Message
Posted Wednesday, July 25, 2012 4:56 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, January 9, 2013 10:49 AM
Points: 35, Visits: 222
So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:

runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

So the only thing that is needed to run as a sysadmin is to know the users' login?

How is this possible and how do I prevent it?
Post #1335491
Posted Monday, July 30, 2012 11:18 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 10:40 PM
Points: 7,082, Visits: 12,576
robbase9 (7/25/2012)
So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:

runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

So the only thing that is needed to run as a sysadmin is to know the users' login?

How is this possible and how do I prevent it?

runas will prompt for the password of the account specified after /user:, i.e. whomever is using runas to open SSMS also muct know the password for domain\username in order to launch SSMS. Try it yourself.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1337427
Posted Monday, July 30, 2012 12:02 PM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 4:58 PM
Points: 42,466, Visits: 35,532
Does your company have an IT security policy? If so, does it say anything about using other people's logins without their permission?

Company I used to work for had such a security policy and what you describe there was a dismissable offence.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #1337452
Posted Monday, July 30, 2012 10:29 PM


Valued Member

Valued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued MemberValued Member

Group: General Forum Members
Last Login: Thursday, July 24, 2014 8:22 AM
Points: 51, Visits: 178
To prevent someone from logging on with your account follow these three guidelines:


- Don't share your password with anyone.
- Don't write your password down somewhere where someone else can read it.
- Change your password regularly.


Also note you can restrict a user account to log on only specific computer in Active Directory(AD). You can also grant or deny users and group log on permissions in the computer's security policy, which can be distibuted from AD using a Group Policy Object(GPO).
Post #1337658
Posted Wednesday, August 1, 2012 9:18 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, January 9, 2013 10:49 AM
Points: 35, Visits: 222
Oh, you have to have the password too. That sounds better. That just means they're sharing passwords, which is a different matter.

Thanks, guys or gals.
Post #1338617
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse