* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download 718 KB - PASS Security Virtual Chapter
Survey
Document related concepts
Commitment ordering wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Extensible Storage Engine wikipedia , lookup
Serializability wikipedia , lookup
Microsoft Access wikipedia , lookup
Oracle Database wikipedia , lookup
Functional Database Model wikipedia , lookup
Ingres (database) wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Concurrency control wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Relational model wikipedia , lookup
Database model wikipedia , lookup
Transcript
SQL Server Security Mistakes Everyone Makes Robert L Davis Database Engineer @SQLSoldier www.sqlsoldier.com PASS Security Virtual Chapter • http://security.sqlpass.org • Volunteers needed Robert L Davis • Microsoft Certified Master • Data Platform MVP Database Engineer • BlueMountain Capital Management • 16+ years working with SQL Server @SQLSoldier • www.sqlsoldier.com SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.” SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.” “Right?” SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all'; SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all'; SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Select D.name As DBName, P.name As DBOwnerLogin, SUSER_SNAME(D.owner_sid) As DBOwnerWindowsAccount From sys.databases As D Left Join sys.server_principals As P On P.sid = D.owner_sid; *Query included in session demo files SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database: The server principal <login> is not able to access the database <database> under the current security context. SQL Server Security Mistakes Everyone Makes Thanks! Thank you for attending! My blog: www.sqlsoldier.com Twitter: twitter.com/SQLSoldier