5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN

Slides:



Advertisements
Similar presentations
Where to Put Your Package Okay, stop giggling – this is SQL Server!
Advertisements

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Informix IDS Administration with the New Server Studio 4.0 By Lester Knutsen My experience with the beta of Server Studio and the new Informix database.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
Lara Microsoft. What does it mean? Why do you need to care? How can you achieve your SoD goals?
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
INTRO TO SQL SERVER SECURITY By Robert Biddle
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
You Inherited a Database Now What? What you should immediately check and start monitoring for. Tim Radney, Senior DBA for a top 40 US Bank President of.
New Instance… Now What? Presented by: James Donahoe Senior Solutions Engineer – TeleTracking Technologies MCSA: SQL Server 2012.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Defense In Depth: Minimizing the Risk of SQL Injection
SQL Database Management
Database System Implementation CSE 507
Administrating a Database
Review of IT General Controls
Controlling User Access
Controlling User Access
Database System Implementation CSE 507
Securing SQL Server Processes with Certificates
SI Ad hoc report builder overview
SQL Server Security & Intrusion Prevention
You Inherited a Database Now What?
# 66.
Best Practices for Dynamics NAV Administration and Security
Dynamic SQL Writing Efficient Queries on the Fly
MAKE YOUR QUERIES FASTER
Outsourcing Database Administration
DBA and IT Professional for ~9 years. Currently I am a Data Architect
Dynamic SQL: Writing Efficient Queries on the Fly
Access, Users, Permissions
SQL Server Security For Everyone
Documentation – you know you love it
Dynamic SQL Writing Efficient Queries on the Fly
Where I am at: Swagatika Sarangi MDM Lead PASS Summit SQL Saturdays
Who Has What to Which? (The Permissions Superset)
SQL Server Security Mistakes Everyone Makes
DevOps Database Administration
Limiting SQL Server Exposure
The Jet Reports Suite of Solutions
DevOps Database Administration
Introduction to System Administration
SQL Server Security from the ground up
Dynamic SQL: Writing Efficient Queries on the Fly
SQL Server Security 101 How did you get in here, and
SQL Server Security For Everyone
Limiting SQL Server Exposure
DBA for ~4+years, IT Professional for 7.5 years.
PowerShell & PowerBi Reducing DBAs Context Switching
PowerShell & PowerBi Reducing DBAs Context Switching
Intermediate Security Topics in SQL SERver
Outsourcing Database Administration
Parameter Sniffing: the Good, the Bad, and the Ugly
You Inherited a Database Now What?
Parameter Sniffing: the Good, the Bad, and the Ugly
Summit Nashville /3/2019 1:48 AM
Copyright © 2013 – 2018 by Curt Hill
Easy-Speak How easy is it?
SQL Server Security 101 How did you get in here, and
Administrating a Database
Michael Wall Senior DBA, Great Western Malting
SQL Server Security from the ground up
Presentation transcript:

5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN Pass Summit 2017 Seattle, WA

Matt Martin CTO-SQLETL I love data integration I love efficiency I’ve been an ETL developer for 9 years. In 2015, I founded SQLETL.com which provides software to make data integration with SQL Server fast and easy. I love efficiency I will spend hours, sometimes days perfecting code so that it runs as fast as possible. It sometimes is not the smartest idea to gain an extra 5 seconds on execution time, but I enjoy it. Matt Martin CTO-SQLETL I love teaching I’ve been speaking at several SQL Saturdays in the southeast on various topics such as query optimization, security, forecasting, and data integration. Going to teach a class on CLR soon. /SQLETL @sqletl_matt

Learn more from Matt Martin @sqletl_matt matt@sqletl.com

Agenda 5 WAYS TO BYPASS * OR ENSURE* SQL SERVER SECURITY Start a job under SQLAgentOperator Role Start a job from MSDB with parameter Use a linked server “I need a sandbox database that I’m DBO on” Take over the box with xp_cmdshell HOW TO CLOSE THESE LOOPHOLES

1. Start a Job as SQLAgentOperator ME: Hi [DBA], I need the ability to start a job on our SQL server, but I don’t have a set schedule for when it needs to run, hence I need you to grant me access to start the job. DBA: Well, this job requires doing things like truncating/dropping tables, and it runs under a sysadmin account. The only way I know to give you access is to check off the “SQLAgentOperator” role in MSDB. Does that work? Are you able to run the job now? ME: Yes! Thank you!! With the SQLAgentOperator role checked off, your ID is now set to run ANY job on the SQL Server. You could then… Update an existing stored procedure definition to elevate your permissions to sysadmin Start the job that runs that procedure …and you then own the box.

2. Start a Job From MSDB with Parameter ME: Hi [DBA], I need the ability to run several of my jobs, but would like to simplify this process for you and me to where I just have one procedure and I pass in the job name as a parameter. DBA: Ok. I’ve created a procedure in MSDB for you so that you can pass in your job name as a parameter. USE msdb GO CREATE PROC dbo.usp_run_some_job @job_nm nvarchar(128) WITH EXECUTE AS OWNER AS EXEC sp_start_job @job_name = @job_nm DON’T DO THIS!!! This pretty much opens the door like the SQLAgentOperator role does. The stored procedure uses the “WITH EXECUTE AS OWNER” signature as well as accepting the job name as a parameter, you can start any job on the server.

3. Linked Server Elevated Privileges You have a linked server that logins into a foreign server via a sysadmin account. You tell the DBA… Me: Hi [DBA], that linked server [name] that we use, I want to have my code be more efficient and less stress on the server. If you enable RPC out on the linked server, I can have it create temp tables to do my processing prior to me moving the data over. DBA: That’s great…anything to lower the stress on both servers! You have a deal!! EXEC(‘ALTER SERVER ROLE SYSADMIN ADD MEMBER [MDDT\MATT]’) AT LNKSRVR_A

4. I Need a Sandbox Database that I’m DBO On You do a lot of development and need the ability to test and work with production data, but without the hassle of having to first migrate the data to a QA server, either because you are pressed for time, or you just don’t want to do it. Me: “Hi [DBA], can you please create a sandbox database for me on the prod system, and add me as db_owner to the database? I need this because our environment and requests from senior leadership constantly change, and I need the flexibility to do adhoc analysis quickly and have the ability to create tables and procs on the fly. I don’t want to affect the production DB’s, so can you just create a sandbox DB for me? What’s the harm?” DBA: “Well, our governance policy says no…so sorry, I’m not doing it.” Me: “That’s fine. Just an FYI, I need to communicate this back up my leadership chain, so don’t be alarmed if they come back asking you more questions” DBA: “Whoooahhhhh, I’m kidding. We have a ‘policy’ in place for these situations and I’ll create a database for you with 5GB of space…Is that enough?” Me: “Plenty. Thank you!!” Create a procedure on your sandbox, and convince the DBA to schedule it to run daily at a certain time. Once it’s on a job schedule, all you have to do is update the proc with the SQL below: WINNING x2 ALTER SERVER ROLE SYSADMIN ADD MEMBER [MDDT\MATT]

5. xp_cmdshell to take over the box You want the ability to do some local file tasks like listing directory content on your SQL Server or deleting files. In order to do so, you have the following conversation with the DBA: Me: Hi [DBA], I need the ability to delete some files after I import them on the server. Can you grant me permissions to xp_cmdshell? DBA: Well, I’ve been told it is dangerous to enable xp_cmdshell, but since we are on a closed system, I think its alright…Ok, you’ve been granted access to execute” If the account that runs the SQL Server instance is a local administrator, you can now add yourself as an administrator on the box simply by running the command below. You can now remote onto the box and remove everyone else. EXEC xp_cmdshell ‘net localgroup administrators MDDT\Matt /add’

How to Close the Loopholes Never enable a business user for SQLAgentOperator Role. Never use SA or another sysadmin account for a linked server. Set it to a reader login with minimum permissions Never schedule a job that calls a procedure on a database that a business user has ALTER access to, unless you have a written agreement that the business user will not abuse the privilege. Never allow a parameterized job call in MSDB. ALWAYS hardcode the job name. Do ensure the account running SQL Server has only permissions necessary to run the server. They should not be an administrator on the box. For xp_cmdshell, if necessary, setup a proxy account with minimal permissions to prevent users from elevating themselves on a server. Do empower your customers, but maintain security at the same time. Allow sandboxes on non-financial production, as long as you limit the growth of it, and have no jobs running on an SA account touching it. Sandboxes open up A LOT of value creation at an organization.

5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN CTO | SQLETL Twitter: @sqletl_matt Website: www.sqletl.com Email: matt@sqletl.com