SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Prevent users from impersonating sysadmin using runas /netonly


Prevent users from impersonating sysadmin using runas /netonly

Author
Message
robbase9
robbase9
SSC Rookie
SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)

Group: General Forum Members
Points: 43 Visits: 222
So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:

runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

So the only thing that is needed to run as a sysadmin is to know the users' login?

How is this possible and how do I prevent it?
Orlando Colamatteo
Orlando Colamatteo
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15427 Visits: 14396
robbase9 (7/25/2012)
So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:

runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

So the only thing that is needed to run as a sysadmin is to know the users' login?

How is this possible and how do I prevent it?

runas will prompt for the password of the account specified after /user:, i.e. whomever is using runas to open SSMS also muct know the password for domain\username in order to launch SSMS. Try it yourself.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
GilaMonster
GilaMonster
SSC Guru
SSC Guru (90K reputation)SSC Guru (90K reputation)SSC Guru (90K reputation)SSC Guru (90K reputation)SSC Guru (90K reputation)SSC Guru (90K reputation)SSC Guru (90K reputation)SSC Guru (90K reputation)

Group: General Forum Members
Points: 90801 Visits: 45284
Does your company have an IT security policy? If so, does it say anything about using other people's logins without their permission?

Company I used to work for had such a security policy and what you describe there was a dismissable offence.

Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


Arjen Krap
Arjen Krap
Valued Member
Valued Member (73 reputation)Valued Member (73 reputation)Valued Member (73 reputation)Valued Member (73 reputation)Valued Member (73 reputation)Valued Member (73 reputation)Valued Member (73 reputation)Valued Member (73 reputation)

Group: General Forum Members
Points: 73 Visits: 215
To prevent someone from logging on with your account follow these three guidelines:


- Don't share your password with anyone.
- Don't write your password down somewhere where someone else can read it.
- Change your password regularly.


Also note you can restrict a user account to log on only specific computer in Active Directory(AD). You can also grant or deny users and group log on permissions in the computer's security policy, which can be distibuted from AD using a Group Policy Object(GPO).
robbase9
robbase9
SSC Rookie
SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)SSC Rookie (43 reputation)

Group: General Forum Members
Points: 43 Visits: 222
Oh, you have to have the password too. That sounds better. That just means they're sharing passwords, which is a different matter.

Thanks, guys or gals.
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search