Presentation is loading. Please wait.

Presentation is loading. Please wait.

5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN

Published byCelia García Velázquez Modified over 5 years ago

Similar presentations

Presentation on theme: "5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN"— Presentation transcript:

1 5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN
Pass Summit 2017 Seattle, WA

2

3

4

5 Matt Martin CTO-SQLETL I love data integration I love efficiency
I’ve been an ETL developer for 9 years. In 2015, I founded SQLETL.com which provides software to make data integration with SQL Server fast and easy. I love efficiency I will spend hours, sometimes days perfecting code so that it runs as fast as possible. It sometimes is not the smartest idea to gain an extra 5 seconds on execution time, but I enjoy it. Matt Martin CTO-SQLETL I love teaching I’ve been speaking at several SQL Saturdays in the southeast on various topics such as query optimization, security, forecasting, and data integration. Going to teach a class on CLR soon. /SQLETL @sqletl_matt

6 Learn more from Matt Martin
@sqletl_matt

7

8 Agenda 5 WAYS TO BYPASS * OR ENSURE* SQL SERVER SECURITY
Start a job under SQLAgentOperator Role Start a job from MSDB with parameter Use a linked server “I need a sandbox database that I’m DBO on” Take over the box with xp_cmdshell HOW TO CLOSE THESE LOOPHOLES

9 1. Start a Job as SQLAgentOperator
ME: Hi [DBA], I need the ability to start a job on our SQL server, but I don’t have a set schedule for when it needs to run, hence I need you to grant me access to start the job. DBA: Well, this job requires doing things like truncating/dropping tables, and it runs under a sysadmin account. The only way I know to give you access is to check off the “SQLAgentOperator” role in MSDB. Does that work? Are you able to run the job now? ME: Yes! Thank you!! With the SQLAgentOperator role checked off, your ID is now set to run ANY job on the SQL Server. You could then… Update an existing stored procedure definition to elevate your permissions to sysadmin Start the job that runs that procedure …and you then own the box.

10 2. Start a Job From MSDB with Parameter
ME: Hi [DBA], I need the ability to run several of my jobs, but would like to simplify this process for you and me to where I just have one procedure and I pass in the job name as a parameter. DBA: Ok. I’ve created a procedure in MSDB for you so that you can pass in your job name as a parameter. USE msdb GO CREATE PROC dbo.usp_run_some_job @job_nm nvarchar(128) WITH EXECUTE AS OWNER AS EXEC DON’T DO THIS!!! This pretty much opens the door like the SQLAgentOperator role does. The stored procedure uses the “WITH EXECUTE AS OWNER” signature as well as accepting the job name as a parameter, you can start any job on the server.

11 3. Linked Server Elevated Privileges
You have a linked server that logins into a foreign server via a sysadmin account. You tell the DBA… Me: Hi [DBA], that linked server [name] that we use, I want to have my code be more efficient and less stress on the server. If you enable RPC out on the linked server, I can have it create temp tables to do my processing prior to me moving the data over. DBA: That’s great…anything to lower the stress on both servers! You have a deal!! EXEC(‘ALTER SERVER ROLE SYSADMIN ADD MEMBER [MDDT\MATT]’) AT LNKSRVR_A

12 4. I Need a Sandbox Database that I’m DBO On
You do a lot of development and need the ability to test and work with production data, but without the hassle of having to first migrate the data to a QA server, either because you are pressed for time, or you just don’t want to do it. Me: “Hi [DBA], can you please create a sandbox database for me on the prod system, and add me as db_owner to the database? I need this because our environment and requests from senior leadership constantly change, and I need the flexibility to do adhoc analysis quickly and have the ability to create tables and procs on the fly. I don’t want to affect the production DB’s, so can you just create a sandbox DB for me? What’s the harm?” DBA: “Well, our governance policy says no…so sorry, I’m not doing it.” Me: “That’s fine. Just an FYI, I need to communicate this back up my leadership chain, so don’t be alarmed if they come back asking you more questions” DBA: “Whoooahhhhh, I’m kidding. We have a ‘policy’ in place for these situations and I’ll create a database for you with 5GB of space…Is that enough?” Me: “Plenty. Thank you!!” Create a procedure on your sandbox, and convince the DBA to schedule it to run daily at a certain time. Once it’s on a job schedule, all you have to do is update the proc with the SQL below: WINNING x2 ALTER SERVER ROLE SYSADMIN ADD MEMBER [MDDT\MATT]

13 5. xp_cmdshell to take over the box
You want the ability to do some local file tasks like listing directory content on your SQL Server or deleting files. In order to do so, you have the following conversation with the DBA: Me: Hi [DBA], I need the ability to delete some files after I import them on the server. Can you grant me permissions to xp_cmdshell? DBA: Well, I’ve been told it is dangerous to enable xp_cmdshell, but since we are on a closed system, I think its alright…Ok, you’ve been granted access to execute” If the account that runs the SQL Server instance is a local administrator, you can now add yourself as an administrator on the box simply by running the command below. You can now remote onto the box and remove everyone else. EXEC xp_cmdshell ‘net localgroup administrators MDDT\Matt /add’

14 How to Close the Loopholes
Never enable a business user for SQLAgentOperator Role. Never use SA or another sysadmin account for a linked server. Set it to a reader login with minimum permissions Never schedule a job that calls a procedure on a database that a business user has ALTER access to, unless you have a written agreement that the business user will not abuse the privilege. Never allow a parameterized job call in MSDB. ALWAYS hardcode the job name. Do ensure the account running SQL Server has only permissions necessary to run the server. They should not be an administrator on the box. For xp_cmdshell, if necessary, setup a proxy account with minimal permissions to prevent users from elevating themselves on a server. Do empower your customers, but maintain security at the same time. Allow sandboxes on non-financial production, as long as you limit the growth of it, and have no jobs running on an SA account touching it. Sandboxes open up A LOT of value creation at an organization.

15 5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY
MATT MARTIN CTO | SQLETL Website:

Download ppt "5 WAYS TO BYPASS *OR ENSURE* SQL SERVER SECURITY MATT MARTIN"

Similar presentations

Where to Put Your Package Okay, stop giggling – this is SQL Server!

Where to Put Your Package Okay, stop giggling – this is SQL Server!
Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.

Week 6: Chapter 6 Agenda Automation of SQL Server tasks using: SQL Server Agent Scheduling Scripting Technologies.
Logins, Roles and Credentials Lesson 14. Skills Matrix.

Logins, Roles and Credentials Lesson 14. Skills Matrix.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.

Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 3 Administration of Users.
Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.

Today’s Objectives Chapters 10 and 11 Security in SQL Server –Manage server logins and database users. –Manage server-level, database-level, and application.
Informix IDS Administration with the New Server Studio 4.0 By Lester Knutsen My experience with the beta of Server Studio and the new Informix database.

Informix IDS Administration with the New Server Studio 4.0 By Lester Knutsen My experience with the beta of Server Studio and the new Informix database.
Copyright © 2013 Curt Hill Database Security An Overview with some SQL.

Copyright © 2013 Curt Hill Database Security An Overview with some SQL.
Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.

Module 10 Assigning Server and Database Roles. Module Overview Working with Server Roles Working with Fixed Database Roles Creating User-defined Database.
Lara Microsoft. What does it mean? Why do you need to care? How can you achieve your SoD goals?

Lara Microsoft. What does it mean? Why do you need to care? How can you achieve your SoD goals?
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.

Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
INTRO TO SQL SERVER SECURITY By Robert Biddle

INTRO TO SQL SERVER SECURITY By Robert Biddle
SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.

SQL Server 2005 Implementation and Maintenance Chapter 6: Security and SQL Server 2005.
Oracle 11g: SQL Chapter 7 User Creation and Management.

Oracle 11g: SQL Chapter 7 User Creation and Management.
SQL Server Security Basics Starting with a good foundation Kenneth Fisher

SQL Server Security Basics Starting with a good foundation Kenneth Fisher
SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance

SQL Server Security The Low Hanging Fruit. Lindsay Clark Database Administrator at American Credit Acceptance
You Inherited a Database Now What? What you should immediately check and start monitoring for. Tim Radney, Senior DBA for a top 40 US Bank President of.

You Inherited a Database Now What? What you should immediately check and start monitoring for. Tim Radney, Senior DBA for a top 40 US Bank President of.
New Instance… Now What? Presented by: James Donahoe Senior Solutions Engineer – TeleTracking Technologies MCSA: SQL Server 2012.

New Instance… Now What? Presented by: James Donahoe Senior Solutions Engineer – TeleTracking Technologies MCSA: SQL Server 2012.
WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations

WELCOME! SQL Server Security. Scott Gleason This is my 9 th Jacksonville SQL Saturday Over ten years DBA experience Director of Database Operations
Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.

Cosc 5/4765 Database security. Database Databases have moved from internal use only to externally accessible. –Organizations store vast quantities of.
Defense In Depth: Minimizing the Risk of SQL Injection

Defense In Depth: Minimizing the Risk of SQL Injection

Similar presentations

Ads by Google