February 8, 2010 at 8:23 pm
Comments posted to this topic are about the item An Administrative Security Hole?
February 9, 2010 at 1:45 am
Nice feature. Especially considering the fact that if you have physical access to the server, you can gain administrator rights to Windows with a single reboot (2 for Active Directory DCs). Sure, you need to boot from CD/USB, so a password-protected BIOS boot menu will help, if available.
Anyway, thanks for the editorial - good to know 🙂
February 9, 2010 at 1:46 am
the human factor is always a weak place.
nobody can be sure its treasure is in a safety, if someone else have access to it even as a DB admin or security officer.
so the best solution for you is being only one man who can use, control, manage, protect and support your own database.
that "security hole" you descrbed is needed for other reasons.
February 9, 2010 at 2:16 am
If someone has admin access to your server then you have to assume they're going to be able to extract data from it somehow, I think. Would it be considered a security hole if an admin got into your (non-SQL) payroll database? I think probably not, because admins have full access to the machine.
In short, if someone who is not trustworthy has admin access to your server, you've lost the battle to start with.
February 9, 2010 at 2:36 am
If you can't trust your System Administrator you are in trouble. If the data was that important you'd also have other controls in place. I don't think this is really a security hole. A system/enterprise admin could also create a generic account and do damage to any system that he wished thorugh assigning him/herself to any security group or policy. This is a person in a position of responsibility being malicious. If a server was put into single user mode a DBA would know about and an investigation would take place. They wouldn't get away with it.
February 9, 2010 at 2:59 am
Considering it requires local administrator permissions, I wouldn't really call it a back door. Someone with local admin could just as easily stop SQL and copy off the data and log files, copy off the backups, install a kernel-level app that reads memory directly, install a network sniffer or any other manner of nasty tools.
If someone has administrative permission (or the ability to gain administrative permissions) and wants to steal data/be malicious, there's very few ways to stop them. It's why the principle of least permissions is such a good idea. There should be very few people who have administrative rights to the server, and the DBA is not necessarily one of them.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 9, 2010 at 3:32 am
Although it is right that people with high-level rights are trusted, it is also important to verify they are not abusing that trust.
In most installations where trust is an important issue, the ability of local administrators to clear the Windows Security log is disabled. This means that anyone performing an action that triggers a Windows Security event leaves a record of what has happened that is very difficult to remove.
The result is that administration users are trusted and potential abuse of rights recorded for verification purposes. Local site staff management procedures then deal with gaining a justification of why the potentially abusive action occurred.
When SQL Server is started in Single User mode, a Windows Security event should be triggered to record what has happened and the account name that started SQL Server.
I have created a Connect suggestion for the above. If you think this is a good resolution :w00t: , or even if it is a bad idea :(, please vote at https://connect.microsoft.com/SQLServer/feedback/details/532175/trigger-a-windows-security-event-when-sql-server-stated-in-single-user-mode#details
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
February 9, 2010 at 3:37 am
EdVassie (2/9/2010)
In most installations where trust is an important issue, the ability of local administrators to clear the Windows Security log is disabled.
Problem is, they're local admins--they can get round stuff like that! If you block local file permissions to local admins to prevent them doing something, they can just take ownership of the file and change permissions as they wish. Long and short of it is, if you don't trust someone, you don't make them local admin, it's the only possible answer.
February 9, 2010 at 3:43 am
time for DBA's to be humble... ahh, we're not masters of the universe.
February 9, 2010 at 3:58 am
Problem is, they're local admins--they can get round stuff like that!
True for NT4, don't know for Windows 2000, but not true for Windows 2003 and above. There are lots of things that cannot be done by people with local admin authority.
The Windows Security log is locked down by Windows, and GPOs can prevent local admin from clearing it and preventing a local admin from getting round this restriction. Even if you do clear it Windows will initialise the log with a record saying 'Cleared by joe bloggs' or whoever did the deed.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
February 9, 2010 at 4:27 am
GPOs can be bypassed by editing the registry. If I was really malicious, I'd create a local admin account, clear the security log using that, then delete it again to remove the audit trail. Or, I could shut the machine down and use some sort of boot CD to entirely delete the file containing the security event log, thus bypassing the "clear" option entirely. If someone asks, I'll just say the disk is clearly failing and needs replacement! 😀
February 9, 2010 at 4:33 am
EdVassie (2/9/2010)
Although it is right that people with high-level rights are trusted, it is also important to verify they are not abusing that trust.
Absolutely.
Any unexpected restart of the SQL Service should be carefully investigated and a cause determined. There are very few good reasons for a production SQL instance to ever be started in single user mode, so if evidence of that appears in the SQL error log/windows event log there needs to be an investigation and both a reason and responsible person determined.
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 9, 2010 at 4:41 am
paul.knibbs (2/9/2010)
Or, I could shut the machine down and use some sort of boot CD to entirely delete the file containing the security event log, thus bypassing the "clear" option entirely. If someone asks, I'll just say the disk is clearly failing and needs replacement! 😀
I've worked in places where physical access to the server required 2 database/server admins and someone from security to be present all the time. All servers had password protected BIOS that is set to boot only from hard drive (the password being stored in an envelope in a safe).
Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability
February 9, 2010 at 4:42 am
If I was really malicious...
I've worked in places where doing all of that without getting management approval and a second opinion (even in the middle of the night) would be a career-limiting experience.
And I have worked in other places where you might be seen as a hero for preventing a failure no-one knew about.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
February 9, 2010 at 4:48 am
Oh, I wasn't saying that doing all that would necessarily hide what you're doing, but then, I'm no expert at hacking. I'm sure someone who was would be able to do a much better job of hiding their tracks than me! I'm sure there's any number of ways someone with local admin access on the machine could get that data off--an admin can install pretty much anything, and unless you have multiple admins all watching what each other are doing, something could slip through the net.
Viewing 15 posts - 1 through 15 (of 42 total)
You must be logged in to reply to this topic. Login to reply