Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


An Administrative Security Hole?


An Administrative Security Hole?

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36081 Visits: 18738
Comments posted to this topic are about the item An Administrative Security Hole?

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
kasztnert
kasztnert
SSC Veteran
SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)SSC Veteran (278 reputation)

Group: General Forum Members
Points: 278 Visits: 26
Nice feature. Especially considering the fact that if you have physical access to the server, you can gain administrator rights to Windows with a single reboot (2 for Active Directory DCs). Sure, you need to boot from CD/USB, so a password-protected BIOS boot menu will help, if available.
Anyway, thanks for the editorial - good to know Smile
renat ka
renat ka
SSC Journeyman
SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)SSC Journeyman (79 reputation)

Group: General Forum Members
Points: 79 Visits: 28
the human factor is always a weak place.
nobody can be sure its treasure is in a safety, if someone else have access to it even as a DB admin or security officer.
so the best solution for you is being only one man who can use, control, manage, protect and support your own database.
that "security hole" you descrbed is needed for other reasons.
paul.knibbs
paul.knibbs
SSCommitted
SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)

Group: General Forum Members
Points: 1972 Visits: 6213
If someone has admin access to your server then you have to assume they're going to be able to extract data from it somehow, I think. Would it be considered a security hole if an admin got into your (non-SQL) payroll database? I think probably not, because admins have full access to the machine.

In short, if someone who is not trustworthy has admin access to your server, you've lost the battle to start with.
Gingkoo
Gingkoo
SSC Rookie
SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)

Group: General Forum Members
Points: 48 Visits: 202
If you can't trust your System Administrator you are in trouble. If the data was that important you'd also have other controls in place. I don't think this is really a security hole. A system/enterprise admin could also create a generic account and do damage to any system that he wished thorugh assigning him/herself to any security group or policy. This is a person in a position of responsibility being malicious. If a server was put into single user mode a DBA would know about and an investigation would take place. They wouldn't get away with it.
GilaMonster
GilaMonster
SSC-Forever
SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)SSC-Forever (47K reputation)

Group: General Forum Members
Points: 47204 Visits: 44367
Considering it requires local administrator permissions, I wouldn't really call it a back door. Someone with local admin could just as easily stop SQL and copy off the data and log files, copy off the backups, install a kernel-level app that reads memory directly, install a network sniffer or any other manner of nasty tools.

If someone has administrative permission (or the ability to gain administrative permissions) and wants to steal data/be malicious, there's very few ways to stop them. It's why the principle of least permissions is such a good idea. There should be very few people who have administrative rights to the server, and the DBA is not necessarily one of them.


Gail Shaw
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

We walk in the dark places no others will enter
We stand on the bridge and no one may pass


EdVassie
EdVassie
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3144 Visits: 3816
Although it is right that people with high-level rights are trusted, it is also important to verify they are not abusing that trust.

In most installations where trust is an important issue, the ability of local administrators to clear the Windows Security log is disabled. This means that anyone performing an action that triggers a Windows Security event leaves a record of what has happened that is very difficult to remove.

The result is that administration users are trusted and potential abuse of rights recorded for verification purposes. Local site staff management procedures then deal with gaining a justification of why the potentially abusive action occurred.

When SQL Server is started in Single User mode, a Windows Security event should be triggered to record what has happened and the account name that started SQL Server.

I have created a Connect suggestion for the above. If you think this is a good resolution w00t , or even if it is a bad idea Sad, please vote at https://connect.microsoft.com/SQLServer/feedback/details/532175/trigger-a-windows-security-event-when-sql-server-stated-in-single-user-mode#details

Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005. 1 Dec 2016: now over 39,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Quote: "When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist." - Archbishop Hélder Câmara
paul.knibbs
paul.knibbs
SSCommitted
SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)SSCommitted (2K reputation)

Group: General Forum Members
Points: 1972 Visits: 6213
EdVassie (2/9/2010)

In most installations where trust is an important issue, the ability of local administrators to clear the Windows Security log is disabled.


Problem is, they're local admins--they can get round stuff like that! If you block local file permissions to local admins to prevent them doing something, they can just take ownership of the file and change permissions as they wish. Long and short of it is, if you don't trust someone, you don't make them local admin, it's the only possible answer.
Gingkoo
Gingkoo
SSC Rookie
SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)SSC Rookie (48 reputation)

Group: General Forum Members
Points: 48 Visits: 202
time for DBA's to be humble... ahh, we're not masters of the universe.
EdVassie
EdVassie
Hall of Fame
Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)Hall of Fame (3.1K reputation)

Group: General Forum Members
Points: 3144 Visits: 3816
Problem is, they're local admins--they can get round stuff like that!


True for NT4, don't know for Windows 2000, but not true for Windows 2003 and above. There are lots of things that cannot be done by people with local admin authority.

The Windows Security log is locked down by Windows, and GPOs can prevent local admin from clearing it and preventing a local admin from getting round this restriction. Even if you do clear it Windows will initialise the log with a record saying 'Cleared by joe bloggs' or whoever did the deed.

Original author: SQL Server FineBuild 1-click install and best practice configuration of SQL Server 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005. 1 Dec 2016: now over 39,000 downloads.
Disclaimer: All information provided is a personal opinion that may not match reality.
Quote: "When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist." - Archbishop Hélder Câmara
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search