Presentation is loading. Please wait.

Presentation is loading. Please wait.

Look, Over There, Your Permissions Are Showing!

Published byMichiel Visser Modified over 5 years ago

Similar presentations

Presentation on theme: "Look, Over There, Your Permissions Are Showing!"— Presentation transcript:

1 Look, Over There, Your Permissions Are Showing!
Effective permissions auditing, and what your permissions mean to a hypothetical attacker

2 Who Am I? Travis Page, CISSP
Currently: Sr. Database Administrator at Jackson Hewitt Tax Service Over 8 years of experience as a DBA Experience with both production database workloads in both AWS and Azure Fun Fact: I’ve been to 28 States plus DC, and 13 Countries so far.

3 My lawyers want you to know…
Legal Disclosure My lawyers want you to know…

4 What do your permissions look like?
Does your environment have a hidden dumpster fire of permissions? Or are you sitting pretty with a hardened environment? How would you know?

5 Scenario What would your first instinct be?
Write a query to pull the data together Use the SSMS UI to gather all of the permissions Script out of all of the permissions and grep the output Scenario Your boss is asking for a report on who has access to the production systems. You have one hour, GO. ?

6 Dbatools is a free, community PowerShell module
In dbatools we trust Dbatools contains two cmdlets that can audit permissions Get-DbaPermission Get-DbaUserPermission For this presentation I will use Get-DbaUserPermission I will also be utilizing an additional module, ImportExcel to allow quick analysis within Excel All scripts used will be available on my GitHub and the SQLSaturday siteIdentify nested database or server level roles Dbatools is a free, community PowerShell module

7 DEMO

8 Starting from the most granular and working our way inward
We can identify our server level permissions and any AD/local group assignments We can identify our database level permissions and any AD/Local group assignments Using the same audit technique we can identify the same identities used and the permissions assigned What did we just gather?

9 What permissions did you not know about?
When was the last time you checked what permissions were assigned to PUBLIC? Is IMPERSONATE in your environment? Have your Active Directory groups gotten nested? Should they be? Are you using a “One Group to Rule Them” strategy for critical roles or permissions What else can I do? What permissions did you not know about?

10 DEMO

11 What have we found? Obvious Issues Sysadmin or other server roles
Database roles such as db_owner, db_ddladmin Permissions assigned to public Less Obvious Issues Impersonate High privilege service account re-use Nested Active Directory groups Nested Database/Server roles Permission Creep SQL Agent permissions Sysadmin and other server roles will be the place that most DBAs will look. Most auditors will also look for this as well. Less obvious however is that many monitoring tools, backup tools and other applications require sysadmin privilege. If service account segregation is not put in place this could result in a much wider blast radius should a breach occur. Impersonate is a permission that can be granted to an account. Should this be misunderstood, this could result in a breach condition being possible. Metasploit has modules that look specifically for this permission misconfiguration. Nested AD groups are sneaky in that most DBAs will not properly audit past the first level to identify membership. AD groups can nest in a recursive fashion. To properly enumerate the users in each group you must exhaust each group to its lowest level, or reach back to it’s origin point in the event of a loop. This is often missed in an audit, and could result in wider than intended permissions being available. Database roles and server roles are likewise subject to the same limits. Permissions are cumulative with the exception being denys which will override grants that precede them. This can result in a role being assigned that appears by name to have one set of permissions but in reality has a much larger set of permissions, or does not work as intended. Permission Creep is the by-product of users accumulating permissions over the course of multiple duty assignments without cleanup. This is typically a difficult task to rectify as the user may still have some of the original duties that they must complete that require a subset of the permissions. SQL Agent permissions are some of the hardest as it often requires higher than desired permission should changes to jobs be required. This can be avoided if the proper security infrastructure is in place, but it is still not an ideal solution and is a fundamental limitation of SQL Server and other task scheduling solutions.

12 Conclusion Basic permissions audits can be performed in minutes
Analysis of the results can help to uncover environmental issues PowerShell can automate the dumping of permissions allowing for the DBA’s time to be spent in analysis

13 Questions?

14 Contact Information LinkedIn:

Download ppt "Look, Over There, Your Permissions Are Showing!"

Similar presentations

Managing User, Computer and Group Accounts

Managing User, Computer and Group Accounts
Automating Common DBA Tasks

Automating Common DBA Tasks
TD Ameritrade IT audit intern Ramez Mina. Position definition Department head  IT audit intern Managers  system analyst and developer to build automated.

TD Ameritrade IT audit intern Ramez Mina. Position definition Department head  IT audit intern Managers  system analyst and developer to build automated.
11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.

11 WORKING WITH GROUPS Chapter 7. Chapter 7: WORKING WITH GROUPS2 CHAPTER OVERVIEW  Understand the functions of groups and how to use them.  Understand.
Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.

Brian Alderman | MCT, CEO / Founder of MicroTechPoint Pete Harris | Microsoft Senior Content Publisher.
Chapter 7 WORKING WITH GROUPS.

Chapter 7 WORKING WITH GROUPS.
Module 13 Automating SQL Server 2008 R2 Management.

Module 13 Automating SQL Server 2008 R2 Management.
Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.

Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.
Managing Active Directory Domain Services Objects

Managing Active Directory Domain Services Objects
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Chapter 7: WORKING WITH GROUPS

Chapter 7: WORKING WITH GROUPS
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Securing AD DS Module A 3: Securing AD DS

Securing AD DS Module A 3: Securing AD DS
Enterprise Security for Microsoft Dynamics GP Jeff Soelberg

Enterprise Security for Microsoft Dynamics GP Jeff Soelberg
Module 3: Configuring Active Directory Objects and Trusts.

Module 3: Configuring Active Directory Objects and Trusts.
Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.

Learningcomputer.com SQL Server 2008 – Administration, Maintenance and Job Automation.
Module 14 Configuring Security for SQL Server Agent.

Module 14 Configuring Security for SQL Server Agent.
Module 1: Exploring Replication. Overview Understanding SQL Server Replication Setting Up Replication Understanding Agents in Replication Securing Replication.

Module 1: Exploring Replication. Overview Understanding SQL Server Replication Setting Up Replication Understanding Agents in Replication Securing Replication.
Virtualization Infrastructure Administration Other Jakub Yaghob.

Virtualization Infrastructure Administration Other Jakub Yaghob.
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

Similar presentations

Ads by Google