SQL Clone
SQLServerCentral is supported by Redgate
Log in  ::  Register  ::  Not logged in

Brief from David Litchfield about Administrator Logins to a Database Server

David Litchfield has put out a brief (as he says it, "It's called a brief because there's enough meat to make it interesting but not enough to make it a paper ;) ) on why no one should log onto a database server (or any server hosting network based services which use Windows authentication) with administrative rights. I understand the gist of how the situation can be exploited. However, from a practicality perspective, this is a problem. I suppose a work around is to log on as a power user, stop the service, then log on as an administrator, although if an exploit can get placed on the server, even this isn't altogether safe. This makes doing things like applying security patches and the like problematic given that many of the automated tools do so using a Windows-based login to push a package down upon the system (Microsoft's WSUS being an exception).

You can find the brief here: http://www.databasesecurity.com/dbsec/db-sec-tokens.pdf

K. Brian Kelley - Databases, Infrastructure, and Security

IT Security, MySQL, Perl, SQL Server, and Windows technologies.


No comments.

Leave a Comment

Please register or log in to leave a comment.