Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 696
  • Last Modified:

SQL Server 2008 Impersonation

Hi,

I am using impersonation to give my web server user limited rights to my database.

I am grant execute on stored procedure for the web server to use.
I then created a login name limited with datareader and datawriter roles to access the data within my stored procedure.
I am using Execute as user = 'limited' in my t-sql to perform the actions that I need.

My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

Thanks
0
dilithiumtoys_dot_com
Asked:
dilithiumtoys_dot_com
  • 2
1 Solution
 
Raja Jegan RSQL Server DBA & ArchitectCommented:
>> My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

From BOL:

"Additionally, IMPERSONATE permissions must be granted on the principal. Unless the caller is the database owner, or is a member of the sysadmin fixed server role, the principal must exist even when the user is accessing the database or instance of SQL Server through a Windows group membership."

In order for you to use EXECUTE AS clause, you should have IMPERSONATE rights on the login you are trying to impersonate. Or else you should be part of that particular database owner or sysadmin to perform that activity.
By ensuring this, security is compromised and hope this clarifies.
0
 
dilithiumtoys_dot_comAuthor Commented:
Thanks for the reply!

I do get that part. My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?
0
 
Raja Jegan RSQL Server DBA & ArchitectCommented:
>> My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?

If a person has database owner or sysadmin privilege or IMPERSONATE privilege, they would be able to do it..
So, it would be better to grant the above permissions carefully as required
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now