SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


View Server State Permission - Risks?


View Server State Permission - Risks?

Author
Message
kumar_sreenivasan
kumar_sreenivasan
Valued Member
Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)

Group: General Forum Members
Points: 59 Visits: 144
What are the Security Risks for granting View Server State permissions to developers in a production instance?
-Does any of the dmv's exposes password information?
-Can the actual transaction data (from the OLTP database tables) be viewed from the dmvs?
Luis Cazares
Luis Cazares
SSC Guru
SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)SSC Guru (51K reputation)

Group: General Forum Members
Points: 51911 Visits: 20016
1.- No, password information is never revealed.
2.- Not exactly, just number of rows (AFAIK).


Luis C.
General Disclaimer:
Are you seriously taking the advice and code from someone from the internet without testing it? Do you at least understand it? Or can it easily kill your server?


How to post data/code on a forum to get the best help: Option 1 / Option 2
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)SSC Guru (81K reputation)

Group: General Forum Members
Points: 81850 Visits: 18575
Consider like read only access to dmv/system information and schema info but not the direct ability to view the data



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

kumar_sreenivasan
kumar_sreenivasan
Valued Member
Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)Valued Member (59 reputation)

Group: General Forum Members
Points: 59 Visits: 144
Thanks. So are there no Security risks? So what are the best practices in granting View Server State permissions to developers (non-sysadmins) in production SQL instances?
Erland Sommarskog
Erland Sommarskog
SSCertifiable
SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)SSCertifiable (6.8K reputation)

Group: General Forum Members
Points: 6840 Visits: 875
The question is not entirely easy to answer, and ultimately it depends on why you want to give developers VIEW SERVER STATE and how much you trust them.

With VIEW SERVER STATE is possible to see some data, for instance constants and parameters in query plans and query text. From estimates in query plans, you can draw some conclusions about the data profile. No, it is not a particularly simple exercise, but if you have very sensitive data, you may have reason to be worried.

If you want to give developers VIEW SERVER STATE for a specific purpose, one alternative is to package that in a stored procedure which you sign with a certificate, and create login from that certificate and grant that login VIEW SERVER STATE.

Erland Sommarskog, SQL Server MVP, www.sommarskog.se
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search