How to prove NT AUTHORITY / NT SERVICE SQL accounts cannot be authenticated to?

Question

Auditors are asking me to show them that NT AUTHORITY / NT SERVICE accounts (NT SERVICE\SQLWriter, NT SERVICE\Winmgmt, etc.) in our SQL databases. I was taught that they are service accounts and are non-interactive.

Is there a way I can demonstrate this to them? I've send them the MS documentation on Windows Service Accounts and Permissions and they're saying they want a live demonstration of it.

How can I do this? Is there a flag I can show them?

Tag properly! If this is SQL Server, why do I see MySQL tag in the question? — Eric, May 24 '19 at 22:17
I'd argue this isn't even really related to SQL atall - it is more a general windows question — Milney, May 24 '19 at 22:27

score 0 · Answer 1 · answered May 24 '19 at 22:25

0

You are incorrect... you can indeed run programs under those accounts. Even interactively. Either using something like PSExec mechansim (https://learn.microsoft.com/en-us/sysinternals/downloads/psexec), manipulating tokens, or changing the account rights using registry/GPO

answered May 24 '19 at 22:25

Milney

6,253
2
19
33

Running programs is one thing but I think they are looking to see if I can literally open up SQL studio and login to the accounts as I would my own personalized account. – enmasse May 24 '19 at 22:39
@enmasse - Well the answer is yes, you can. If you have admin access to the host, you can use PSExec to run SSMS under the context of one of those accounts, and then connect to the SQL server as them. – Milney May 25 '19 at 09:43

How to prove NT AUTHORITY / NT SERVICE SQL accounts cannot be authenticated to?

1 Answers1