Exploiting SQL Server Security Holes

Slides:



Advertisements
Similar presentations
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Advertisements

Case Study: Designing a Global Scaled-out Architecture Robert L Davis
Chapter 10 Overview  Implement Microsoft Windows Authentication Mode and Mixed Mode  Assign login accounts to database user accounts and roles  Assign.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
IT Pro Day Auditing in SQL Server 2012 Charley Hanania Principal Consultant, QS2 AG – Quality Software Solutions
Chapter 6 : Designing SQL Server Service-Level Security MCITP Administrator: Microsoft SQL Server 2005 Database Server Infrastructure Design Study Guide.
Security David Frommer Principal Architect Business Intelligence Microsoft Partner of the Year 2005 & 2007.
Module 9 Authenticating and Authorizing Users. Module Overview Authenticating Connections to SQL Server Authorizing Logins to Access Databases Authorization.
SQL Server Security By Mattias Lind For PASS Security VC.
Module 11 Authorizing Users to Access Resources. Module Overview Authorizing User Access to Objects Authorizing Users to Execute Code Configuring Permissions.
INTRO TO SQL SERVER SECURITY By Robert Biddle
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
1 Chapter Overview Granting Database-Specific Permissions Using Application Roles Designing an Access and Permissions Strategy.
Secure Data Access with SQL Server 2005 Doug Rees Associate Technologist, CM Group
SQL Server Permissions and Security Principals William Assaf Sparkhound, Inc. SQLSAT CLUTCH CITY 2015.
Licensing SQL Server on a Virtual Platform Robert L Davis
PASS Business Analytics Virtual Chapter Website: Chapter Leader: Melissa Demcsak.
Strategies for Working with Texas-sized Databases Robert L Davis Database Engineer
James Serra Data Platform Solution Architect Microsoft JamesSerra.com.
Rolling Upgrades, The Easy Way Argenis Fernandez Senior Database Engineer,
So you want to be a DBA….
SQL Server Encryption Ben Miller Blog:
10 Things All BI Administrators Should Know Robert L Davis Database Engineer
Performing a SQL Server Security Risk Assessment K. Brian Kelley, Microsoft Data Platform (SQL Server) MVP.
DYNAMIC CONTENT DELIVERY
Turgay Sahtiyan Istanbul, Turkey
Securing SQL Server Processes with Certificates
Microsoft SQL Server 2014 for Oracle DBAs Module 8
Visual Studio 2010 Database Projects
Performing a SQL Server Security Risk Assessment
Achieve more in less time using the new SQL PowerShell
Outsourcing Database Administration
Policy Based Management: Introduction & implementation
Policy Based Management: Introduction & implementation
Solving the Hard Problems
Summit Nashville /28/2018 8:42 PM
Performance Tuning 101: Parallelism
Contained DB? Did it do something wrong?
Visual Studio 2010 Database Projects
Who Has What to Which? (The Permissions Superset)
Designing Database Solutions for SQL Server
Troubleshooting SQL Server Connection Issues
SQL Server Security Mistakes Everyone Makes
Code-Less Securing of SQL Server
DevOps Database Administration
Download Exam - Valid Question Answers - Dumps4download.us
Auditing in SQL Server 2008 DBA-364-M
Limiting SQL Server Exposure
How to Lose Your Job in 3 Easy Steps
SQLSaturday 393- May 16, Redmond, WA
The Dirty Business of Auditing
DevOps Database Administration
5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
SQL Server Mythconceptions And Mythteries
Hidden gems of SQL Server 2016
Securing SQL Server Processes with Certificates
or: How I Learned to Stop Using EXECUTE AS and Love Certificates
New Paradigm for Performance Tuning in SQL Server 2016
SQL Server Performance Tuning Nowadays
SQLCmd Mode The T-SQL Easy Button
SQL Server Mythconceptions And Mythteries
Cloud Data Replication with SQL Data Sync
SQL Server Security 101 How did you get in here, and
Implementing Database Roles in the Enterprise Geodatababse
Intermediate Security Topics in SQL SERver
Outsourcing Database Administration
February 11-13, 2019 Raleigh, NC.
SQL Server Security 101 How did you get in here, and
The Ins and Outs of Indexes
Presentation transcript:

Exploiting SQL Server Security Holes Robert L Davis Database Engineer www.sqlsoldier.com @SQLSoldier

Robert L Davis @SQLSoldier PASS Security Virtual Chapter Microsoft Certified Master Data Platform MVP @SQLSoldier www.sqlsoldier.com Database Engineer BlueMountain Capital Management 16+ years working with SQL Server PASS Security Virtual Chapter http://security.sqlpass.org Volunteers needed Database Engineer at BlueMountain Capital Management Foremer Principal Database Architect at DB Best Technologies www.dbbest.com Former Principal DBA at Outerwall, Inc Former Sr. Product Consultant with Idera Software Former Program Manager for SQL Server Certified Master program in Microsoft Learning Former Sr. Production DBA / Operations Engineer at Microsoft (CSS) Microsoft Certified Master: SQL Server 2008 / MCSM Charter: Data Platform Co-founder of the SQL PASS Security Virtual Chapter MCITP: Database Developer: SQL Server 2005 and 2008 MCITP: Database Administrator: SQL Server 2005 and 2008 MCSE: Data Platform MVP 2014 Co-author of Pro SQL Server 2008 Mirroring Former Idera ACE (Advisors & Community Educators) 2 time host of T-SQL Tuesday Guest Professor at SQL University, summer 2010, spring/summer 2011 Speaker at SQL PASS Summit 2010, 2011, and 2012 including a pre-con in 2012 Speaker/Pre-con at SQLRally 2012 16+ years working with SQL Server Writer for SQL Server Pro (formerly SQL Server Magazine) Member: Mensa Dog picture: Maggie and Woody SQLCruise instructor: Seattle to Alaska 2012 Speaker at SQL Server Intelligence Conference in Seattle 2012 Blog: http://www.sqlsoldier.com Twitter: http://twitter.com/SQLSoldier

Exploiting SQL Server Security Holes Agenda Permissions Superset Database Owner Bypassing Logins Trustworthy

Exploiting SQL Server Security Holes Permissions Superset Demo #1

Exploiting SQL Server Security Holes Permissions Superset User gets all permissions available to them When grants and denies conflict deny wins Almost always Due to ANSI standards, an explicit grant on a column overrides and explicit deny on a column

Exploiting SQL Server Security Holes Database Owner Demo #2

Exploiting SQL Server Security Holes Database Owner Mapped automatically to the dbo account Has all perms inside of database (DML, DDL, etc) Has broad permissions for modifying the database properties Can make a variety of changes that can be damaging to the database or even the server Page verification, file settings, recovery model, auto-shrink, auto-close, etc Still cannot change TRUSTWORTHY Impersonated by sysadmin when sysadmin is in the database If no valid owner, you may receive error that the user cannot perform the requested action under the current security context

Exploiting SQL Server Security Holes Bypassing Logins Demo #3

Exploiting SQL Server Security Holes Bypassing Logins Relates directly to permissions superset If user can login via group membership, the individual perms are included in the superset Even if the individual login doesn’t exist

Exploiting SQL Server Security Holes Trustworthy Demo #4

Exploiting SQL Server Security Holes Trustworthy Sounds like a good thing to have Used for unsafe CLR assemblies or assemblies with external access Used to allow cross-database permissions chaining Can usually be done instead with signed modules or signed assemblies Effectively allows a db owner to take over the whole server

Exploiting SQL Server Security Holes Q & A

Thank you for coming! Thanks! My blog: www.sqlsoldier.com Twitter: twitter.com/SQLSoldier

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.