Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

View Server State Permission - Risks? Expand / Collapse
Author
Message
Posted Friday, February 14, 2014 5:13 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Saturday, November 1, 2014 10:26 PM
Points: 3, Visits: 128
What are the Security Risks for granting View Server State permissions to developers in a production instance?
-Does any of the dmv's exposes password information?
-Can the actual transaction data (from the OLTP database tables) be viewed from the dmvs?

Post #1541807
Posted Friday, February 14, 2014 5:37 PM


Hall of Fame

Hall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of FameHall of Fame

Group: General Forum Members
Last Login: Today @ 2:02 PM
Points: 3,917, Visits: 8,892
1.- No, password information is never revealed.
2.- Not exactly, just number of rows (AFAIK).



Luis C.
Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1541808
Posted Friday, February 14, 2014 6:31 PM


SSCoach

SSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoachSSCoach

Group: General Forum Members
Last Login: Today @ 11:42 AM
Points: 17,963, Visits: 15,964
Consider like read only access to dmv/system information and schema info but not the direct ability to view the data



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Post #1541810
Posted Friday, February 14, 2014 7:23 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Saturday, November 1, 2014 10:26 PM
Points: 3, Visits: 128
Thanks. So are there no Security risks? So what are the best practices in granting View Server State permissions to developers (non-sysadmins) in production SQL instances?
Post #1541815
Posted Saturday, February 15, 2014 6:41 AM


SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 9:08 AM
Points: 816, Visits: 741
The question is not entirely easy to answer, and ultimately it depends on why you want to give developers VIEW SERVER STATE and how much you trust them.

With VIEW SERVER STATE is possible to see some data, for instance constants and parameters in query plans and query text. From estimates in query plans, you can draw some conclusions about the data profile. No, it is not a particularly simple exercise, but if you have very sensitive data, you may have reason to be worried.

If you want to give developers VIEW SERVER STATE for a specific purpose, one alternative is to package that in a stored procedure which you sign with a certificate, and create login from that certificate and grant that login VIEW SERVER STATE.


Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Post #1541843
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse