croberts 36762 (9/2/2010)
Excellent article.I have one question about the workaround. If a person has SecurityAdmin, could they give themselves permission to alter the LimitSecurityAdmin trigger?
No. As a securityadmin, you cannot assign permissions to your own login. But that makes me think there's another attack vector that I need to test.
Steve, I would agree with you, but Microsoft was adamant this isn't to be considered a bug. And to consider securityadmin = sysadmin. However, I know folks who've converted and have controls in place assuming securityadmin is limited, so they're stuck in the middle. I wish they would consider it a bug, too, because as Chris just brought up, there are surely more attack vectors.
K. Brian Kelley
@kbriankelley