Download 718 KB - PASS Security Virtual Chapter

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
page
31
page
32
Document related concepts

Commitment ordering wikipedia , lookup

Entity–attribute–value model wikipedia , lookup

Extensible Storage Engine wikipedia , lookup

Serializability wikipedia , lookup

Microsoft Access wikipedia , lookup

IMDb wikipedia , lookup

Oracle Database wikipedia , lookup

Btrieve wikipedia , lookup

SQL wikipedia , lookup

Functional Database Model wikipedia , lookup

Ingres (database) wikipedia , lookup

Open Database Connectivity wikipedia , lookup

Concurrency control wikipedia , lookup

Database wikipedia , lookup

PL/SQL wikipedia , lookup

Microsoft SQL Server wikipedia , lookup

Microsoft Jet Database Engine wikipedia , lookup

Relational model wikipedia , lookup

Database model wikipedia , lookup

Clusterpoint wikipedia , lookup

ContactPoint wikipedia , lookup

Transcript 
SQL Server Security Mistakes
Everyone Makes
Robert L Davis
Database Engineer
@SQLSoldier
www.sqlsoldier.com
PASS Security Virtual Chapter
• http://security.sqlpass.org
• Volunteers needed
Robert L Davis
• Microsoft Certified Master
• Data Platform MVP
Database Engineer
• BlueMountain Capital Management
• 16+ years working with SQL Server
@SQLSoldier
• www.sqlsoldier.com
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
“What’s the big deal?”
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
“What’s the big deal?”
“If the login was deleted,
they can’t access the database.”
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
“What’s the big deal?”
“If the login was deleted,
they can’t access the database.”
“Right?”
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
 Once a user logs in, they get all permissions
available to them
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
 Once a user logs in, they get all permissions
available to them
 Permissions superset
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
 Once a user logs in, they get all permissions
available to them
 Permissions superset
 Group memberships
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
 Once a user logs in, they get all permissions
available to them
 Permissions superset
 Group memberships
 Orphaned users
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
 Once a user logs in, they get all permissions
available to them




Permissions superset
Group memberships
Orphaned users
To see all login paths:
 Exec xp_logininfo '<login>', 'all';
SQL Server Security Mistakes Everyone Makes
 Leaving orphaned users in the database
 Once a user logs in, they get all permissions
available to them




Permissions superset
Group memberships
Orphaned users
To see all login paths:
 Exec xp_logininfo '<login>', 'all';
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions
 Drop objects
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions
 Drop objects
 Change database settings
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions
 Drop objects
 Change database settings
 Modify, add, drop database files
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions




Drop objects
Change database settings
Modify, add, drop database files
Create out-of-band backups
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions





Drop objects
Change database settings
Modify, add, drop database files
Create out-of-band backups
Drop the database
SQL Server Security Mistakes Everyone Makes
 Allow non-admin users to have database
owner permissions
 Database owner or member of db_owner group
 User gets ALL possible database permissions
 Even potentially harmful permissions





Drop objects
Change database settings
Modify, add, drop database files
Create out-of-band backups
Drop the database
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
Select D.name As DBName,
P.name As DBOwnerLogin,
SUSER_SNAME(D.owner_sid) As DBOwnerWindowsAccount
From sys.databases As D
Left Join sys.server_principals As P
On P.sid = D.owner_sid;
*Query included in session demo files
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
 Account gets mapped to the database user dbo
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
 Account gets mapped to the database user dbo
 dbo bypasses permissions checking within
database
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
 Account gets mapped to the database user dbo
 dbo bypasses permissions checking within
database
 Sysadmins impersonate dbo within database
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
 Account gets mapped to the database user dbo
 dbo bypasses permissions checking within
database
 Sysadmins impersonate dbo within database
 Invalid owner can cause error 916 when
sysadmin tries to access database
SQL Server Security Mistakes Everyone Makes
 Leave a real user as the database owner
 Database owner: sys.databases.owner_sid
 Account gets mapped to the database user dbo
 dbo bypasses permissions checking within
database
 Sysadmins impersonate dbo within database
 Invalid owner can cause error 916 when
sysadmin tries to access database:
The server principal <login> is not able to access the
database <database> under the current security context.
SQL Server Security Mistakes Everyone Makes
Thanks!
Thank you for attending!
 My blog: www.sqlsoldier.com
 Twitter: twitter.com/SQLSoldier
Related documents
SQL Server Administration
SQL Server Administration
Did You Know? SQL Server 2008 * [Feature]
Did You Know? SQL Server 2008 * [Feature]
Introduction to ASP.NET
Introduction to ASP.NET
SQL Server database administration using Web Data Administrator
SQL Server database administration using Web Data Administrator
lesson12
lesson12
here
here
Business Intelligence and Data Warehousing
Business Intelligence and Data Warehousing
Data Warehouse performance and maintenance
Data Warehouse performance and maintenance
Recruitment Authorisation Form
Recruitment Authorisation Form
Elements of SQL Data Definition Language
Elements of SQL Data Definition Language
BIS 3204 Database DB Programming
BIS 3204 Database DB Programming
COMP 521 F10 Final Exam Review
COMP 521 F10 Final Exam Review