Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12345»»»

An Administrative Security Hole? Expand / Collapse
Author
Message
Posted Monday, February 8, 2010 8:23 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Yesterday @ 4:56 PM
Points: 31,168, Visits: 15,612
Comments posted to this topic are about the item An Administrative Security Hole?






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #862175
Posted Tuesday, February 9, 2010 1:45 AM
SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Tuesday, June 12, 2012 9:09 AM
Points: 278, Visits: 26
Nice feature. Especially considering the fact that if you have physical access to the server, you can gain administrator rights to Windows with a single reboot (2 for Active Directory DCs). Sure, you need to boot from CD/USB, so a password-protected BIOS boot menu will help, if available.
Anyway, thanks for the editorial - good to know :)
Post #862263
Posted Tuesday, February 9, 2010 1:46 AM
SSC Journeyman

SSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC JourneymanSSC Journeyman

Group: General Forum Members
Last Login: Friday, April 15, 2011 8:19 AM
Points: 79, Visits: 28
the human factor is always a weak place.
nobody can be sure its treasure is in a safety, if someone else have access to it even as a DB admin or security officer.
so the best solution for you is being only one man who can use, control, manage, protect and support your own database.
that "security hole" you descrbed is needed for other reasons.
Post #862264
Posted Tuesday, February 9, 2010 2:16 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 6:50 AM
Points: 1,602, Visits: 5,652
If someone has admin access to your server then you have to assume they're going to be able to extract data from it somehow, I think. Would it be considered a security hole if an admin got into your (non-SQL) payroll database? I think probably not, because admins have full access to the machine.

In short, if someone who is not trustworthy has admin access to your server, you've lost the battle to start with.
Post #862274
Posted Tuesday, February 9, 2010 2:36 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, November 9, 2012 6:13 AM
Points: 46, Visits: 202
If you can't trust your System Administrator you are in trouble. If the data was that important you'd also have other controls in place. I don't think this is really a security hole. A system/enterprise admin could also create a generic account and do damage to any system that he wished thorugh assigning him/herself to any security group or policy. This is a person in a position of responsibility being malicious. If a server was put into single user mode a DBA would know about and an investigation would take place. They wouldn't get away with it.
Post #862287
Posted Tuesday, February 9, 2010 2:59 AM


SSC-Forever

SSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-ForeverSSC-Forever

Group: General Forum Members
Last Login: Today @ 2:44 AM
Points: 40,172, Visits: 36,562
Considering it requires local administrator permissions, I wouldn't really call it a back door. Someone with local admin could just as easily stop SQL and copy off the data and log files, copy off the backups, install a kernel-level app that reads memory directly, install a network sniffer or any other manner of nasty tools.

If someone has administrative permission (or the ability to gain administrative permissions) and wants to steal data/be malicious, there's very few ways to stop them. It's why the principle of least permissions is such a good idea. There should be very few people who have administrative rights to the server, and the DBA is not necessarily one of them.



Gail Shaw
Microsoft Certified Master: SQL Server 2008, MVP
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Post #862296
Posted Tuesday, February 9, 2010 3:32 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 4:30 AM
Points: 2,885, Visits: 3,253
Although it is right that people with high-level rights are trusted, it is also important to verify they are not abusing that trust.

In most installations where trust is an important issue, the ability of local administrators to clear the Windows Security log is disabled. This means that anyone performing an action that triggers a Windows Security event leaves a record of what has happened that is very difficult to remove.

The result is that administration users are trusted and potential abuse of rights recorded for verification purposes. Local site staff management procedures then deal with gaining a justification of why the potentially abusive action occurred.

When SQL Server is started in Single User mode, a Windows Security event should be triggered to record what has happened and the account name that started SQL Server.

I have created a Connect suggestion for the above. If you think this is a good resolution , or even if it is a bad idea , please vote at https://connect.microsoft.com/SQLServer/feedback/details/532175/trigger-a-windows-security-event-when-sql-server-stated-in-single-user-mode#details


Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 18 October 2014: now over 31,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #862305
Posted Tuesday, February 9, 2010 3:37 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Yesterday @ 6:50 AM
Points: 1,602, Visits: 5,652
EdVassie (2/9/2010)

In most installations where trust is an important issue, the ability of local administrators to clear the Windows Security log is disabled.


Problem is, they're local admins--they can get round stuff like that! If you block local file permissions to local admins to prevent them doing something, they can just take ownership of the file and change permissions as they wish. Long and short of it is, if you don't trust someone, you don't make them local admin, it's the only possible answer.
Post #862306
Posted Tuesday, February 9, 2010 3:43 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Friday, November 9, 2012 6:13 AM
Points: 46, Visits: 202
time for DBA's to be humble... ahh, we're not masters of the universe.
Post #862308
Posted Tuesday, February 9, 2010 3:58 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Yesterday @ 4:30 AM
Points: 2,885, Visits: 3,253
Problem is, they're local admins--they can get round stuff like that!


True for NT4, don't know for Windows 2000, but not true for Windows 2003 and above. There are lots of things that cannot be done by people with local admin authority.

The Windows Security log is locked down by Windows, and GPOs can prevent local admin from clearing it and preventing a local admin from getting round this restriction. Even if you do clear it Windows will initialise the log with a record saying 'Cleared by joe bloggs' or whoever did the deed.


Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2014, 2012, 2008 R2, 2008 and 2005. 18 October 2014: now over 31,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Concept: "Pizza Apartheid" - the discrimination that separates those who earn enough in one day to buy a pizza if they want one, from those who can not.
Post #862314
« Prev Topic | Next Topic »

Add to briefcase 12345»»»

Permissions Expand / Collapse