SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 

Do you check for TRUSTWORTHY databases as part of your security audits?

I ran a twitter poll the other day Do you check for databases with trustworthy turned on when you do security audits?

TRUSTWORTHY1

I wasn’t surprised (although a little disappointed) that out of the 9 people the answered only one person was, and of the rest 5 didn’t even know what TRUSTWORTHY is. I even had one person ask me later. That’s somewhat scary because under the right circumstances if you give me a database with TRUSTWORTHY turned on I can take over your instance. I’m NOT going to show you how but it isn’t terribly difficult.

So what is the TRUSTWORTHY database property? If turned on then SQL Server trusts the contents of the database. Not terribly clear if you ask me.

I haven’t been able to find a whole lot out about all of the details of it but here are a few that I do know.

  • It will allow you to impersonate server level permissions. This has some scary potential if you aren’t careful about it.
  • If you restore or attach a database this setting is automatically turned off.
  • msdb is the only database with TRUSTWORTHY automatically set on.

 
Because of the potential to use instance level security from inside of the database you need to be particularly careful when granting access to one of these databases. Like I said above, with the right access (and one or two other things) a user in a trusted database can take over the instance.

So my recommendation is that when you are doing a security audit you should include a check for TRUSTWORTHY databases (sys.databases.is_trustworthy_on = 1). For any TRUSTWORTHY database you find you want to carefully check the permissions of the database owner and those of the users of the database.

SELECT sys.server_principals.name as Owner, sys.databases.*
FROM sys.databases
LEFT OUTER JOIN sys.server_principals
	ON sys.databases.owner_sid = sys.server_principals.sid
WHERE is_trustworthy_on = 1

Filed under: Microsoft SQL Server, Security, SQLServerPedia Syndication Tagged: database settings, microsoft sql server, security

SQLStudies

My name is Kenneth Fisher and I am Senior DBA for a large (multi-national) insurance company. I have been working with databases for over 20 years starting with Clarion and Foxpro. I’ve been working with SQL Server for 12 years but have only really started “studying” the subject for the last 3. I don’t have any real "specialities" but I enjoy trouble shooting and teaching. Thus far I’ve earned by MCITP Database Administrator 2008, MCTS Database Administrator 2005, and MCTS Database Developer 2008. I’m currently studying for my MCITP Database Developer 2008 and should start in on the 2012 exams next year. My blog is at www.sqlstudies.com.

Comments

Leave a comment on the original post [sqlstudies.com, opens in a new window]

Loading comments...