Solved

SQL Server 2008 Impersonation

Posted on 2011-02-21
3
692 Views
Last Modified: 2012-05-11
Hi,

I am using impersonation to give my web server user limited rights to my database.

I am grant execute on stored procedure for the web server to use.
I then created a login name limited with datareader and datawriter roles to access the data within my stored procedure.
I am using Execute as user = 'limited' in my t-sql to perform the actions that I need.

My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

Thanks
0
Comment
Question by:dilithiumtoys_dot_com
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Raja Jegan R
ID: 34948187
>> My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

From BOL:

"Additionally, IMPERSONATE permissions must be granted on the principal. Unless the caller is the database owner, or is a member of the sysadmin fixed server role, the principal must exist even when the user is accessing the database or instance of SQL Server through a Windows group membership."

In order for you to use EXECUTE AS clause, you should have IMPERSONATE rights on the login you are trying to impersonate. Or else you should be part of that particular database owner or sysadmin to perform that activity.
By ensuring this, security is compromised and hope this clarifies.
0
 

Author Comment

by:dilithiumtoys_dot_com
ID: 34982383
Thanks for the reply!

I do get that part. My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?
0
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 250 total points
ID: 34985479
>> My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?

If a person has database owner or sysadmin privilege or IMPERSONATE privilege, they would be able to do it..
So, it would be better to grant the above permissions carefully as required
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have heard of RFC822 date formats, they can be quite a challenge in SQL Server. RFC822 is an Internet standard format for email message headers, including all dates within those headers. The RFC822 protocols are available in detail at:   ht…
Composite queries are used to retrieve the results from joining multiple queries after applying any filters. UNION, INTERSECT, MINUS, and UNION ALL are some of the operators used to get certain desired results.​
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question