http://www.sqlservercentral.com/blogs/brian_kelley/2005/11/19/brief-from-david-litchfield-about-administrator-logins-to-a-database-server/

Printed 2014/08/30 06:28AM

Brief from David Litchfield about Administrator Logins to a Database Server

2005/11/19

David Litchfield has put out a brief (as he says it, "It's called a brief because there's enough meat to make it interesting but not enough to make it a paper ;) ) on why no one should log onto a database server (or any server hosting network based services which use Windows authentication) with administrative rights. I understand the gist of how the situation can be exploited. However, from a practicality perspective, this is a problem. I suppose a work around is to log on as a power user, stop the service, then log on as an administrator, although if an exploit can get placed on the server, even this isn't altogether safe. This makes doing things like applying security patches and the like problematic given that many of the automated tools do so using a Windows-based login to push a package down upon the system (Microsoft's WSUS being an exception).

You can find the brief here: http://www.databasesecurity.com/dbsec/db-sec-tokens.pdf


Copyright © 2002-2014 Simple Talk Publishing. All Rights Reserved. Privacy Policy. Terms of Use. Report Abuse.