SQL Server Security Mistakes Everyone Makes Robert L Davis Database Engineer @SQLSoldier www.sqlsoldier.com
Robert L Davis @SQLSoldier PASS Security Virtual Chapter Microsoft Certified Master Data Platform MVP @SQLSoldier www.sqlsoldier.com Database Engineer BlueMountain Capital Management 16+ years working with SQL Server PASS Security Virtual Chapter http://security.sqlpass.org Volunteers needed Database Engineer at BlueMountain Capital Management Foremer Principal Database Architect at DB Best Technologies www.dbbest.com Former Principal DBA at Outerwall, Inc Former Sr. Product Consultant with Idera Software Former Program Manager for SQL Server Certified Master program in Microsoft Learning Former Sr. Production DBA / Operations Engineer at Microsoft (CSS) Microsoft Certified Master: SQL Server 2008 / MCSM Charter: Data Platform Co-founder of the SQL PASS Security Virtual Chapter MCITP: Database Developer: SQL Server 2005 and 2008 MCITP: Database Administrator: SQL Server 2005 and 2008 MCSE: Data Platform MVP 2014 Co-author of Pro SQL Server 2008 Mirroring Former Idera ACE (Advisors & Community Educators) 2 time host of T-SQL Tuesday Guest Professor at SQL University, summer 2010, spring/summer 2011 Speaker at SQL PASS Summit 2010, 2011, and 2012 including a pre-con in 2012 Speaker/Pre-con at SQLRally 2012 16+ years working with SQL Server Writer for SQL Server Pro (formerly SQL Server Magazine) Member: Mensa Dog picture: Maggie and Woody SQLCruise instructor: Seattle to Alaska 2012 Speaker at SQL Server Intelligence Conference in Seattle 2012 Blog: http://www.sqlsoldier.com Twitter: http://twitter.com/SQLSoldier
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?”
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.”
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database “What’s the big deal?” “If the login was deleted, they can’t access the database.” “Right?”
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all';
SQL Server Security Mistakes Everyone Makes Leaving orphaned users in the database Once a user logs in, they get all permissions available to them Permissions superset Group memberships Orphaned users To see all login paths: Exec xp_logininfo '<login>', 'all'; Demo
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database
SQL Server Security Mistakes Everyone Makes Allow non-admin users to have database owner permissions Database owner or member of db_owner group User gets ALL possible database permissions Even potentially harmful permissions Drop objects Change database settings Modify, add, drop database files Create out-of-band backups Drop the database Demo
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Select D.name As DBName, P.name As DBOwnerLogin, SUSER_SNAME(D.owner_sid) As DBOwnerWindowsAccount From sys.databases As D Left Join sys.server_principals As P On P.sid = D.owner_sid; *Query included in session demo files
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database
SQL Server Security Mistakes Everyone Makes Leave a real user as the database owner Database owner: sys.databases.owner_sid Account gets mapped to the database user dbo dbo bypasses permissions checking within database Sysadmins impersonate dbo within database Invalid owner can cause error 916 when sysadmin tries to access database: The server principal <login> is not able to access the database <database> under the current security context.
SQL Server Security Mistakes Everyone Makes Q & A
Thank you for attending! Thanks! Thank you for attending! My blog: www.sqlsoldier.com Twitter: twitter.com/SQLSoldier