SQL, Analysis Services & related stories.

Switching context with using EXECUTE AS ... not always switch it in fact as you wish.

In this demo i will try to explain why SET TRUSTWORTHY ON on some databases may make the sysadmin job unsafe. In previous posts i explained how db owner (or any developer) can try to implemet simplest luring attack against server sysadmin. According to BOL to avoid this problem sysadmin should switch to the context of the account/login with lowest possible privileges. Lets try to test this approach.

USE master
GO

-- create test database
CREATE DATABASE [TestDB] ON PRIMARY ( NAME = N'TestDB', FILENAME = N'C:\TestDB.mdf', SIZE = 3072KB, FILEGROWTH = 1024KB )
 LOG ON ( NAME = N'TestDB_log', FILENAME = N'C:\TestDB_log.ldf', SIZE = 1024KB, FILEGROWTH = 10%)
GO

-- set option
EXEC dbo.sp_dbcmptlevel @dbname=N'TestDB', @new_cmptlevel=90
GO

-- first time test with TRUSTWORTHY = OFF

ALTER DATABASE [TestDB] SET TRUSTWORTHY OFF
GO

-- create login Test
USE [master]
GO
CREATE LOGIN [Test] WITH PASSWORD=N'111', DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
GO

USE [TestDB]
GO

-- create user test
CREATE USER [Test] FOR LOGIN [Test]
GO

-- create test DDL trigger - fired on any DENY event
CREATE TRIGGER [ddl_test_trigger]
ON DATABASE
FOR DENY_DATABASE
AS
 
SET NOCOUNT ON

 IF IS_SRVROLEMEMBER ('sysadmin') = 1
  PRINT 'Sysadmin found, security can be broken easily.'
 ELSE
  PRINT 'Sysadmin not found, you are in safe.'
 
GO

-- test under sysadmin (sa) account
DECLARE @cmd nvarchar(1000)

SET @cmd = 'DENY BACKUP DATABASE TO [Test]'
EXEC (@cmd)
GO

-- you'll see "Sysadmin found, security can be broken easily."

-- so the next step according to BOL - switch to lowest privileges context for desired operation
DECLARE @cmd nvarchar(1000)
SET @cmd = 'DENY BACKUP DATABASE TO [Test]'
EXEC (@cmd) AS USER = 'dbo'
GO

-- you'll see now "Sysadmin not found, you are in safe."
-- Thats is our desired goal - to be in safe. Lets try to set TRUSTWORTHY ON

ALTER DATABASE [TestDB] SET TRUSTWORTHY ON
GO

-- try again the "safe" version
DECLARE @cmd nvarchar(1000)
SET @cmd = 'DENY BACKUP DATABASE TO [Test]'
EXEC (@cmd) AS USER = 'dbo'
GO

-- you'll see again "Sysadmin found, security can be broken easily."

-- clear objects
USE Master
GO

DROP DATABASE [TestDB]
GO

DROP LOGIN [Test]
GO

--------------------------------------------------------

As as result of this demo i would recommend you do not use TRUSTWORTHY ON on your databases. Otherwise before making any
changes under 'sa' account in unknown databases please check TRUSTWORTHY setting for the database you are
working with, because simple EXECUTE AS .... (even with cookie) will not protect you from loosing you privileges or
GRANT 'sa' privileges to everybody (as explained in my previous articles). And be always in safe :-).

--------------------------------------------------------

 

Published Thursday, March 01, 2007 11:23 AM by Igor Kovalenko

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

raulga said:

 You are absolutely correct, the scenario you described above is a very dangerous one.

The TRUSTWORTHY flag (TW for short) as the name connotes, means that the system administrator trust the database. By itself the TW is only a gating mechanism (think of it as an ON/OFF knob), when the flag is on, it that allows the system to perform permission checks on the database owner in order to allow certain operations that are extremely high privileged such as vouch for an impersonated token or execute unsafe assemblies.

 In this case the owner of the Db is a system administrator (a practice that is unfortunately too common, but not recommended) in addition to the TW property on the database. Because the dbo (look at sys.databses) is a member of sysadmin server role, all permissions are automatically granted to the dbo, and by turning on the TW property on the database, the gate is fully opened and uncontrolled.

In order to enable the cross-database impersonation and unsafe assembly execution with a better control, we also have the ability to digitally sign modules (i.e. stored procedures) and assemblies. I personally recommend using digital signatures instead of the TRUSTWORTHY flag whenever it is possible.

The recommendation is only turn on the TW on if the system administrator fully trust privileged users in the database; and I also strongly recommend against turning the TW flag on a database owned by members of sysadmin server role.

I strongly recommend reading the documentation regarding EXECUTE AS and the TRSUTWORTHY bit in more detail:

http://msdn2.microsoft.com/en-us/library/ms188268.aspx

http://msdn2.microsoft.com/en-us/library/ms188304.aspx

http://msdn2.microsoft.com/en-us/library/ms345102.aspx

I would also like to invite you if you have any question on how to use the security features in SQL Server to contact us in the SQL Server Security forum (http://forums.microsoft.com/MSDN/ShowForum.aspx?ForumID=92&SiteID=1), we will be glad to answer your questions.

Thanks a lot,

-Raul Garcia

 SDE/T

 SQL Server Engine

March 27, 2007 7:21 PM

Leave a Comment

(required) 
(optional)
(required) 

  
Enter Code Here: Required
Submit

About Igor Kovalenko

I've been in IT since 1991 starting my carrier on Unix & C development. Now i am a consultant in Microsoft Services, Russia. My areas of experience - SQL & OLAP. I've been working with Microsoft tools for more than 15 years, started from asm 5.0 and Quick C 2.51 through (Visual) FoxPro, VB, C#... But my mission is SQL. Truly says i have enough knowledge both Oracle (8, 9.i) and Microsoft db technology, but it's to hard for me to cover both :-). My real data warehousing experience started with one of the largest DW implementation with using Oracle 9i in Russia till 2002. Of course i also implemented the first part of BI project on top of this DW with using SQL AS 2000 & Crystal reports. After that for a year i was a seniour developer, Online Services, in Dell UK, Bracknell (c++/vb/Oracle/SQL/ASP). In 2003 i was a little bit tired from High Technology World and decided to join Deloitte, Moscow, where i was a Finance analyst, member of Business Director Group. I really miss a half of my IT knowledge this time (SQL & Crystal is only useful), but now i perfectly know the "underground" of any BIG 4 consulting company, budgeting and managing process details, FTE, Utilization, OPTS analysis.... Hell, real accounting hell. I was excited to design and implement my first (and last) project with using Cognos EP tool. At the end of 2005 i was hired by my favorite company :-) Microsoft and now i am working with my favorite tool: SQL Server. To keep a long story short :-).

This Blog

Syndication

News

Locations of visitors to this page

© 2009 Microsoft Corporation. All rights reserved. Terms of Use  |  Trademarks  |  Privacy Statement
Microsoft
Page view tracker