Prevent users from impersonating sysadmin using runas /netonly

Question

Prevent users from impersonating sysadmin using runas /netonly

robbase9

Mr or Mrs. 500

Points: 517
More actions
July 25, 2012 at 4:56 pm

#264686

So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:
runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”
So the only thing that is needed to run as a sysadmin is to know the users' login?
How is this possible and how do I prevent it?

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply

Orlando Colamatteo SSC Guru Points: 182276 More actions · Answer 1

robbase9 (7/25/2012)
So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:
runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”
So the only thing that is needed to run as a sysadmin is to know the users' login?
How is this possible and how do I prevent it?

runas will prompt for the password of the account specified after /user:, i.e. whomever is using runas to open SSMS also muct know the password for domain\username in order to launch SSMS. Try it yourself.

There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

Gail Shaw SSC Guru Points: 1004504 More actions · Answer 2

Does your company have an IT security policy? If so, does it say anything about using other people's logins without their permission?

Company I used to work for had such a security policy and what you describe there was a dismissable offence.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass

Arjen Krap SSC-Addicted Points: 473 More actions · Answer 3

To prevent someone from logging on with your account follow these three guidelines:

- Don't share your password with anyone.

- Don't write your password down somewhere where someone else can read it.

- Change your password regularly.

Also note you can restrict a user account to log on only specific computer in Active Directory(AD). You can also grant or deny users and group log on permissions in the computer's security policy, which can be distibuted from AD using a Group Policy Object(GPO).

robbase9 Mr or Mrs. 500 Points: 517 More actions · Answer 4

Oh, you have to have the password too. That sounds better. That just means they're sharing passwords, which is a different matter.

Thanks, guys or gals.