SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Restricting SecurityAdmin on SQL Server 2005/2008


Restricting SecurityAdmin on SQL Server 2005/2008

Author
Message
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (24K reputation)

Group: Moderators
Points: 24100 Visits: 1917
Comments posted to this topic are about the item Restricting SecurityAdmin on SQL Server 2005/2008

K. Brian Kelley
@‌kbriankelley
SQLRNNR
SQLRNNR
SSC Guru
SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)SSC Guru (64K reputation)

Group: General Forum Members
Points: 64859 Visits: 18570
Thanks for demonstrating this vulnerability.



Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server, MVP


SQL RNNR

Posting Performance Based Questions - Gail Shaw

clementhuge
clementhuge
SSC-Enthusiastic
SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)SSC-Enthusiastic (195 reputation)

Group: General Forum Members
Points: 195 Visits: 301
Excellent article!

Clement
wmt
wmt
SSC-Enthusiastic
SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)SSC-Enthusiastic (148 reputation)

Group: General Forum Members
Points: 148 Visits: 833
Excellent, informative and slightly scarey - all at once!
Rob-792003
Rob-792003
Forum Newbie
Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)Forum Newbie (5 reputation)

Group: General Forum Members
Points: 5 Visits: 35
Thanks for raising the awareness of this behavior!
Steve Jones
Steve Jones
SSC Guru
SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)SSC Guru (142K reputation)

Group: Administrators
Points: 142492 Visits: 19424
Excellent article and I noticed this on your blog recently and was concerned.

It seems like this is a bug since essentially the securityadmin role now has no real meaning. You might as well be a sysadmin or not have this at all.

I would love to see a server level role that allowed someone to add a login, and a user for a specific database (s) only. That's the type of permissions that I often want to hand over to another person.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
croberts 36762
croberts 36762
SSC-Addicted
SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)SSC-Addicted (490 reputation)

Group: General Forum Members
Points: 490 Visits: 442
Excellent article.

I have one question about the workaround. If a person has SecurityAdmin, could they give themselves permission to alter the LimitSecurityAdmin trigger?

Chris
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (24K reputation)

Group: Moderators
Points: 24100 Visits: 1917
croberts 36762 (9/2/2010)
Excellent article.

I have one question about the workaround. If a person has SecurityAdmin, could they give themselves permission to alter the LimitSecurityAdmin trigger?


No. As a securityadmin, you cannot assign permissions to your own login. But that makes me think there's another attack vector that I need to test.

Steve, I would agree with you, but Microsoft was adamant this isn't to be considered a bug. And to consider securityadmin = sysadmin. However, I know folks who've converted and have controls in place assuming securityadmin is limited, so they're stuck in the middle. I wish they would consider it a bug, too, because as Chris just brought up, there are surely more attack vectors.

K. Brian Kelley
@‌kbriankelley
timothyawiseman
timothyawiseman
SSCrazy
SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)SSCrazy (2.3K reputation)

Group: General Forum Members
Points: 2324 Visits: 920
It is definitely good to have this pointed out since a lot of people do not realize it, and this was well written and clear.

From my standpoint, it tends to be irrelevant. Even if they cannot take full control of the server someone with even the SQL Server 2000 limited version of SecurityAdmin could cause so much mischief I would never hand it to someone I would not trust with full control server. At that point, I see the value of it in keeping honest people honest. Even if they know how to bypass it easily, they are faced with the fact that they are bypassing it. This reminds them that they are doing something that is properly in someone else's domain. For an trustworthy person, that is enough; for a non-trustworthy person even limited SecurityAdmin is far too much power.

---
Timothy A Wiseman
SQL Blog: http://timothyawiseman.wordpress.com/
K. Brian Kelley
K. Brian Kelley
Keeper of the Duck
Keeper of the Duck (24K reputation)

Group: Moderators
Points: 24100 Visits: 1917
timothyawiseman (9/2/2010)
It is definitely good to have this pointed out since a lot of people do not realize it, and this was well written and clear.

From my standpoint, it tends to be irrelevant. Even if they cannot take full control of the server someone with even the SQL Server 2000 limited version of SecurityAdmin could cause so much mischief I would never hand it to someone I would not trust with full control server. At that point, I see the value of it in keeping honest people honest. Even if they know how to bypass it easily, they are faced with the fact that they are bypassing it. This reminds them that they are doing something that is properly in someone else's domain. For an trustworthy person, that is enough; for a non-trustworthy person even limited SecurityAdmin is far too much power.


Agreed, to a point. From a Principle of Least Privilege perspective, even if you trust someone to be a sysadmin, but they only should be doing the work of a securityadmin, you give them securityadmin. Only the permissions to do the job - no more, no less. And that's where this really busts audit controls.

K. Brian Kelley
@‌kbriankelley
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search