5 Matt Martin CTO-SQLETL I love data integration I love efficiency I’ve been an ETL developer for 9 years. In 2015, I founded SQLETL.com which provides software to make data integration with SQL Server fast and easy.I love efficiencyI will spend hours, sometimes days perfecting code so that it runs as fast as possible. It sometimes is not the smartest idea to gain an extra 5 seconds on execution time, but I enjoy it.Matt MartinCTO-SQLETLI love teachingI’ve been speaking at several SQL Saturdays in the southeast on various topics such as query optimization, security, forecasting, and data integration. Going to teach a class on CLR soon./SQLETL@sqletl_matt
8 Agenda 5 WAYS TO BYPASS * OR ENSURE* SQL SERVER SECURITY Start a job under SQLAgentOperator RoleStart a job from MSDB with parameterUse a linked server“I need a sandbox database that I’m DBO on”Take over the box with xp_cmdshellHOW TO CLOSE THESE LOOPHOLES
9 1. Start a Job as SQLAgentOperator ME: Hi [DBA], I need the ability to start a job on our SQL server, but I don’t have a set schedule for when it needs to run, hence I need you to grant me access to start the job.DBA: Well, this job requires doing things like truncating/dropping tables, and it runs under a sysadmin account. The only way I know to give you access is to check off the “SQLAgentOperator” role in MSDB. Does that work? Are you able to run the job now?ME: Yes! Thank you!!With the SQLAgentOperator role checked off,your ID is now set to run ANY job on the SQL Server.You could then…Update an existing stored procedure definition to elevate your permissions to sysadminStart the job that runs that procedure…and you then own the box.
10 2. Start a Job From MSDB with Parameter ME: Hi [DBA], I need the ability to run several of my jobs, but would like to simplify this process for you and me to where I just have one procedure and I pass in the job name as a parameter.DBA: Ok. I’ve created a procedure in MSDB for you so that you can pass in your job name as a parameter.USE msdbGOCREATE PROC dbo.usp_run_some_job@job_nm nvarchar(128)WITH EXECUTE AS OWNERASEXECDON’T DO THIS!!!This pretty much opens the door like the SQLAgentOperator role does. The stored procedure uses the “WITH EXECUTE AS OWNER” signature as well as accepting the job name as a parameter, you can start any job on the server.
11 3. Linked Server Elevated Privileges You have a linked server that logins into a foreign server via a sysadmin account. You tell the DBA…Me: Hi [DBA], that linked server [name] that we use, I want to have my code be more efficient and less stress on the server. If you enable RPC out on the linked server, I can have it create temp tables to do my processing prior to me moving the data over.DBA: That’s great…anything to lower the stress on both servers! You have a deal!!EXEC(‘ALTER SERVER ROLE SYSADMIN ADD MEMBER [MDDT\MATT]’) AT LNKSRVR_A
12 4. I Need a Sandbox Database that I’m DBO On You do a lot of development and need the ability to test and work with production data,but without the hassle of having to first migrate the data to a QA server,either because you are pressed for time, or you just don’t want to do it.Me: “Hi [DBA], can you please create a sandbox database for me on the prod system, and add me as db_owner to the database? I need this because our environment and requests from senior leadership constantly change, and I need the flexibility to do adhoc analysis quickly and have the ability to create tables and procs on the fly. I don’t want to affect the production DB’s, so can you just create a sandbox DB for me? What’s the harm?”DBA: “Well, our governance policy says no…so sorry, I’m not doing it.”Me: “That’s fine. Just an FYI, I need to communicate this back up my leadership chain, so don’t be alarmed if they come back asking you more questions”DBA: “Whoooahhhhh, I’m kidding. We have a ‘policy’ in place for these situations and I’ll create a database for you with 5GB of space…Is that enough?”Me: “Plenty. Thank you!!”Create a procedure on your sandbox, and convince the DBA to schedule it to run daily at a certain time. Once it’s on a job schedule, all you have to do is update the proc with the SQL below:WINNING x2ALTER SERVER ROLE SYSADMIN ADD MEMBER [MDDT\MATT]
13 5. xp_cmdshell to take over the box You want the ability to do some local file taskslike listing directory content on your SQL Server or deleting files.In order to do so, you have the following conversation with the DBA:Me: Hi [DBA], I need the ability to delete some files after I import them on the server. Can you grant me permissions to xp_cmdshell?DBA: Well, I’ve been told it is dangerous to enable xp_cmdshell, but since we are on a closed system, I think its alright…Ok, you’ve been granted access to execute”If the account that runs the SQL Server instance is a local administrator, you can now add yourself as an administrator on the box simply by running the command below. You can now remote onto the box and remove everyone else.EXEC xp_cmdshell ‘net localgroup administrators MDDT\Matt /add’
14 How to Close the Loopholes Never enable a business user for SQLAgentOperator Role.Never use SA or another sysadmin account for a linked server.Set it to a reader login with minimum permissionsNever schedule a job that calls a procedure on a database that a business user has ALTER access to, unless you have a written agreement that the business user will not abuse the privilege.Never allow a parameterized job call in MSDB. ALWAYS hardcode the job name.Do ensure the account running SQL Server has only permissions necessary to run the server. They should not be an administrator on the box. For xp_cmdshell, if necessary, setup a proxy account with minimal permissions to prevent users from elevating themselves on a server.Do empower your customers, but maintain security at the same time. Allow sandboxes on non-financial production, as long as you limit the growth of it, and have no jobs running on an SA account touching it. Sandboxes open up A LOT of value creation at an organization.
15 5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTINCTO | SQLETLWebsite: