Post reply

Database ownership and TRUSTWORTHY

  • January 28, 2015 at 9:24 pm

    #300657

    Comments posted to this topic are about the item Database ownership and TRUSTWORTHY

  • January 29, 2015 at 1:44 am

    #1773906

    this article is a rare example for what i expect of a well-written article.

    exposure at the beginning, conclusion, references, some reasonable reasoning in the main part.

    congratulations.

  • January 29, 2015 at 1:55 am

    #1773910

    h.tobisch (1/29/2015)

    this article is a rare example for what i expect of a well-written article.

    exposure at the beginning, conclusion, references, some reasonable reasoning in the main part.

    congratulations.

    Thanks!, Since this is my first one, I didn't want to miss any of those points. Experts are watching all your moves ...:w00t:

  • January 29, 2015 at 6:57 am

    #1773977

    I agree. Very well done.


    Colleen M. Morrow
    Cleveland DBA

  • January 29, 2015 at 10:16 am

    #1774084

    I concur. Nice job! Thank you for this.

  • January 29, 2015 at 5:28 pm

    #1774214

    Thanks for taking the time to write this up. Excellent job, and very timely!

  • February 5, 2015 at 9:07 am

    #1775739

    This is important information I did not know. Thanks.

  • March 4, 2015 at 1:20 pm

    #1781747

    Thanks for the information.

    But that raises a question for me.

    If we are not to use the TRUSTWORTHY with SA access what about the MSDB? Since Microsoft has set the MSDB to TRUSTWORTY and ownership is 'SA' does that pose similar security risks? Should one change ownership of MSDB to a non-privilaged account? I am confused since Microsoft says not to alter the ownership of system databases?

  • March 4, 2015 at 1:43 pm

    #1781758

    Ken Grissom-138180 (3/4/2015)

    Thanks for the information.

    But that raises a question for me.

    If we are not to use the TRUSTWORTHY with SA access what about the MSDB? Since Microsoft has set the MSDB to TRUSTWORTY and ownership is 'SA' does that pose similar security risks? Should one change ownership of MSDB to a non-privilaged account? I am confused since Microsoft says not to alter the ownership of system databases?

    Generally speaking you should not change any settings on system databases (not speaking of tempdb or model though), but bear in mind that privilege escalation is a combination of factors. Which are

    - Database ownership with high privileges

    - TRUSTWORTHY ON

    - And what is also required is to have database users members of the db_owner database group which can impersonate [dbo]

    Without any of those, escalation is not possible (by using impersonation)

    So as long as you don't have any user in the db_owner (and I don't see a reason why you should in msdb database), you're absolutely fine.

    Hope that clears things for you

    Cheers

  • March 11, 2015 at 10:06 am

    #1783364

    A client application I work with uses TRUSTWORTHY on the backend db and I wasn't convinced they needed it (it's a bad application) but your article has given me a better understanding.

    Thanks

    qh

    [font="Tahoma"]Who looks outside, dreams; who looks inside, awakes. – Carl Jung.[/font]

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply