1

Aside from executing XP_CmdShell, which I have disabled in my SQL 2005 installation, what could a malicious user who gains DBO rights to my database do:

  • To my database,
  • To my server?

I'm assessing the worst-case security risk of someone obtaining DBO to justify running a "least-privileged" user account in an application. Some allege that since we're not working with "confidential data" that the impact of someone gaining DBO is minimal.

Sam
  • 7,252
  • 16
  • 46
  • 65
Caveatrob
  • 12,667
  • 32
  • 107
  • 187

6 Answers6

3

he can run any XP_ sproc so it can mess up the registry and mess up your whole server for one thing. drop/change tables, etc...

Mladen Prajdic
  • 15,457
  • 2
  • 43
  • 51
  • I believe that's incorrect. If an attacker gets in as DBO, not all xp's are available to DBO. For example, a DBO attacker cannot execute xp_CmdShell. Of course, the best thing to do is to not grant DBO to any public facing app or site. They should only have PUBLIC privs and the privs to execute only certain stored procedures. And, of course, it's "Death by SQL" to allow anyone or any thing to have "SA" privs other than the essential DBA's. – Jeff Moden Apr 06 '13 at 14:35
3

dbo is Database Owner - which may or may not be sa. As dbo, you basically have free reign over the owned database - obviously, this could lead to changed permissions, dropped tables, etc.

As sa, you have free reign over the server. This includes installing new extended procedures (or .NET assemblies if you have CLR enabled), as well as everything dbo can do (for all databases). And, you can also enable xp_cmdshell again.

Mark Brackett
  • 84,552
  • 17
  • 108
  • 152
2

Lots of info online about SQL injection. Limiting the privs of the user you connect to SQL with is one very important defesse.

http://en.wikipedia.org/wiki/SQL_injection

Here's a simple, frightening example I ran into a couple of years ago. Website generates SQL stateemnts on the fly using URLs and runs them. I was able to guess that URLs like

www.blah.com/.../load.aspx?itemid=1

produced SQL like this

SELECT * FROM items where id=1

so I sent this url:

www.blah.com/.../load.aspx?itemid=1;drop table items

bang.

At the very least, if the DB connection was not dbo this would have failed.

n8wrl
  • 19,439
  • 4
  • 63
  • 103
0

To put it bluntly, if he owns your database, he pwns your database. That is to say, you can kiss your data good-bye.

Paul Nathan
  • 39,638
  • 28
  • 112
  • 212
0

That is to say, you can kiss your data good-bye.

But you have backups on disk and on tape, so you are golden!

Sam
  • 7,543
  • 7
  • 48
  • 62
0

Yeah. The typical defense is "well, at least he can't mess up anything outside of his database" (xp_CmdShell is not enabled). Me, I'm not comfortable having a mad-dog rapist in a locked closet in my house. But that analogy isn't a great sell to management.

Caveatrob
  • 12,667
  • 32
  • 107
  • 187