Solved

SQL Server 2008 Impersonation

Posted on 2011-02-21
3
689 Views
Last Modified: 2012-05-11
Hi,

I am using impersonation to give my web server user limited rights to my database.

I am grant execute on stored procedure for the web server to use.
I then created a login name limited with datareader and datawriter roles to access the data within my stored procedure.
I am using Execute as user = 'limited' in my t-sql to perform the actions that I need.

My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

Thanks
0
Comment
Question by:dilithiumtoys_dot_com
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Raja Jegan R
ID: 34948187
>> My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

From BOL:

"Additionally, IMPERSONATE permissions must be granted on the principal. Unless the caller is the database owner, or is a member of the sysadmin fixed server role, the principal must exist even when the user is accessing the database or instance of SQL Server through a Windows group membership."

In order for you to use EXECUTE AS clause, you should have IMPERSONATE rights on the login you are trying to impersonate. Or else you should be part of that particular database owner or sysadmin to perform that activity.
By ensuring this, security is compromised and hope this clarifies.
0
 

Author Comment

by:dilithiumtoys_dot_com
ID: 34982383
Thanks for the reply!

I do get that part. My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?
0
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 250 total points
ID: 34985479
>> My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?

If a person has database owner or sysadmin privilege or IMPERSONATE privilege, they would be able to do it..
So, it would be better to grant the above permissions carefully as required
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

'Between' is such a common word we rarely think about it but in SQL it has a very specific definition we should be aware of. While most database vendors will have their own unique phrases to describe it (see references at end) the concept in common …
Composite queries are used to retrieve the results from joining multiple queries after applying any filters. UNION, INTERSECT, MINUS, and UNION ALL are some of the operators used to get certain desired results.​
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question