December 21, 2015 at 12:57 am
nice bit of thread necroing here, but it's worth all the responses together I suppose.
My most recent example: The sa user was used by a web application to access the database and the credentials were stored in plain text in the web.config file. The web directory was shared (read only) to the network with very wide access rights and the same password was used for an administrator account (different username but easy to guess as it was name of the supplier).
I'm sure others have seen worse, but this is pretty spectacular and only falls short of giving all network users db admin access by default...
December 21, 2015 at 1:16 am
whoops. Duplicate, need to find the delete function...
December 21, 2015 at 1:31 am
n.ryan (12/21/2015) The sa user was used by a web application to access the database and the credentials were stored in plain text in the web.config file.
Nice. That's about as good as running multiple dev/test/qa/prod instances reusing the same service account. Why? Because management love slow and arduous paperwork processes to get service accounts commissioned, but then demand instances be stood up faster than those 2-3 weeks of dead waiting time.
December 21, 2015 at 4:43 am
It's interesting reading this a few years on.
I've come to realise that so many things stem from a businesses desire to move faster than IT can keep pace and the lack of investment required to enable IT to keep pace.
An IT person's time can easily cost more than £1 (US$1.5)per minute.
My experience is that organisations spend a fortune on fripperies and irrelevancies but baulk at surprisingly small sums that will have a direct beneficial impact on their staff's ability to do their jobs in a timely fashion.
Corners cut in security are the really radioactive side of technical debt. Supremely dangerous but treated just like any other piece of tech debt i.e. ignored in the hope by the person authorizing it that they will have been promoted long before the chickens come home to roost.
This brings up something that in the security arena involves a rather dirty word that the business gets very upset. GOVERNANCE!!!!!
I can build a mechanically secure system with role based security, AD integration and strong passwords. Maybe even multifactor authentication if I'm using AD in Azure. Makes not a blind bit of difference if the organisational structures aren't in place.
Ask a manager if it is appropriate for a member of staff to be placed in a group that has access to 'x' and the response will be "yeah, yeah, yeah, whatever, just do it".
Then we get to data classification. Again, very few organisations seem to think about this but it is essential if you need to quantify the risk of data exposure. Think of the inept response from the head of Talk Talk in response to the data breach. That was real "scream at the TV" stuff. How can they go on the TV before the world and not even have the basic facts! They are the CEO for God's sake, did they not call their staff and insist on being properly briefed before they went on air?
Use of SysAdmin for apps is BAD, really BAD. Spin up an AWS RDS instance of SQL Server and see what rights you have. You don't have SysAdmin that's for sure! If you don't need it to run your stuff in AWS then you don't need it for apps development, any argument to the contrary is null and void with AWS being the winning argument. I've not looked at Azure but I can't imagine that it will be much different.
December 21, 2015 at 4:46 am
Netbackup from Symantec still requires the sysadmin role. Otherwise it fails.
I mean - how long has the backup role been around. You'd think an organisation like Symantec would be more up to date with Security.:cool:
December 21, 2015 at 5:51 am
Cody K (5/4/2011)
Horatiu Ripa (5/4/2011)On the other hand, I saw pretty stupid things, from passing connection strings to invisible textboxes in webapps - more or less protected by some cryptography - to two tier applications (sometimes configured with clear text conection stings to acces the DB with sa) where the user was blocked only by the application to access the full database.
You did bring up one point that most business applications end up calling one single high-powered SQL account to "get things done"... it used to be sa and now it's the one account all your web services use.
Not that that's necessarily a bad thing.
But knowing this, and knowing there's at least half a dozen layers in SQL itself with hundreds of specific actions you can restrict... what's the point? Who's using it?
No, it absolutely is a bad thing. In fact, using a highly privileged single account for app access is nothing more than deliberate incompetence. The point of having configurable access is precisely that - so you can configure access to ensure the right groups of people have the correct level of access to do theri jobs effectively while protecting the security and integrity of the system.
Bluntly, people who can't be bothered or bitch and whine about being expected to carry out this *basic*, and it is both a basic and fundimental task, are not fit for purpose and have no place in this industry IMO.
I'm a DBA.
I'm not paid to solve problems. I'm paid to prevent them.
December 21, 2015 at 6:44 am
andrew gothard (12/21/2015)In fact, using a highly privileged single account for app access is nothing more than deliberate incompetence.
The last time I heard something like this said the person saying it was fired. Your job as a DBA doesn't extend to making demands about how vendors build their applications, nor making value judgements about their staff.
I'm really glad we don't tolerate this kind of vicious attitude towards colleagues and vendors in our workplace 🙂
December 21, 2015 at 7:04 am
I think the whole concept of a 'SA' account is a bad idea, because essentially it's an account which has full access and which can be sharable across users. It becomes a back door for lazy developers, "Black Ops";-) deployments, and hackers.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 21, 2015 at 8:33 am
David sums it up very well. Amazing security is still such an issue.
David.Poole (12/21/2015)
It's interesting reading this a few years on.I've come to realise that so many things stem from a businesses desire to move faster than IT can keep pace and the lack of investment required to enable IT to keep pace.
An IT person's time can easily cost more than £1 (US$1.5)per minute.
My experience is that organisations spend a fortune on fripperies and irrelevancies but baulk at surprisingly small sums that will have a direct beneficial impact on their staff's ability to do their jobs in a timely fashion.
Corners cut in security are the really radioactive side of technical debt. Supremely dangerous but treated just like any other piece of tech debt i.e. ignored in the hope by the person authorizing it that they will have been promoted long before the chickens come home to roost.
This brings up something that in the security arena involves a rather dirty word that the business gets very upset. GOVERNANCE!!!!!
I can build a mechanically secure system with role based security, AD integration and strong passwords. Maybe even multifactor authentication if I'm using AD in Azure. Makes not a blind bit of difference if the organisational structures aren't in place.
Ask a manager if it is appropriate for a member of staff to be placed in a group that has access to 'x' and the response will be "yeah, yeah, yeah, whatever, just do it".
Then we get to data classification. Again, very few organisations seem to think about this but it is essential if you need to quantify the risk of data exposure. Think of the inept response from the head of Talk Talk in response to the data breach. That was real "scream at the TV" stuff. How can they go on the TV before the world and not even have the basic facts! They are the CEO for God's sake, did they not call their staff and insist on being properly briefed before they went on air?
Use of SysAdmin for apps is BAD, really BAD. Spin up an AWS RDS instance of SQL Server and see what rights you have. You don't have SysAdmin that's for sure! If you don't need it to run your stuff in AWS then you don't need it for apps development, any argument to the contrary is null and void with AWS being the winning argument. I've not looked at Azure but I can't imagine that it will be much different.
The more you are prepared, the less you need it.
December 21, 2015 at 8:38 am
Thanks for the thrashing.
December 21, 2015 at 11:31 am
dragonfly (12/21/2015)
Netbackup from Symantec still requires the sysadmin role. Otherwise it fails.I mean - how long has the backup role been around. You'd think an organisation like Symantec would be more up to date with Security.:cool:
Considering Google's recent tiff with Symantec over their issuing certificates for domains that don't exist, nothing Symantec does would surprise me. I stopped using Symantec ages ago, they've been flaky for a long time.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
December 21, 2015 at 1:05 pm
Cody K (12/21/2015)
andrew gothard (12/21/2015)In fact, using a highly privileged single account for app access is nothing more than deliberate incompetence.
The last time I heard something like this said the person saying it was fired. Your job as a DBA doesn't extend to making demands about how vendors build their applications, nor making value judgements about their staff.
I'm really glad we don't tolerate this kind of vicious attitude towards colleagues and vendors in our workplace 🙂
Although you are not the one who can make the demands as to how a vendor approaches security, you are the one who can determine that you will or will not use their product. Also if you choose to use it you decide on where it runs and how isolated/secure you will make it.
Not all gray hairs are Dinosaurs!
December 21, 2015 at 3:14 pm
Eric M Russell (12/21/2015)
I think the whole concept of a 'SA' account is a bad idea, because essentially it's an account which has full access and which can be sharable across users. It becomes a back door for lazy developers, "Black Ops";-) deployments, and hackers.
Hey, it gives something to disable. It also gives us something to monitor to make sure it stays disabled. 😉
December 21, 2015 at 3:28 pm
Ed Wagner (12/21/2015)
Eric M Russell (12/21/2015)
I think the whole concept of a 'SA' account is a bad idea, because essentially it's an account which has full access and which can be sharable across users. It becomes a back door for lazy developers, "Black Ops";-) deployments, and hackers.Hey, it gives something to disable. It also gives us something to monitor to make sure it stays disabled. 😉
Yes, whenever the special "SA" account trips an audit alert; it would be kind of fun to creep up behind them and say "Whatcha Doin?".
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
December 21, 2015 at 9:46 pm
Slightly off-topic; while working for a large financial institution, I was approached by one of the security team. He was a highly-paid and allegedly very security-savvy contractor. His request (although phrased more as a demand) was for me to give sysadmin rights on most of our production instances to the penetration testers coming on-site as part of his project.
It's fair to say that he was disappointed, and also that he didn't handle disappointment particularly well.
Viewing 15 posts - 46 through 60 (of 95 total)
You must be logged in to reply to this topic. Login to reply