Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SQL Server 2008 Impersonation

Posted on 2011-02-21
3
Medium Priority
?
694 Views
Last Modified: 2012-05-11
Hi,

I am using impersonation to give my web server user limited rights to my database.

I am grant execute on stored procedure for the web server to use.
I then created a login name limited with datareader and datawriter roles to access the data within my stored procedure.
I am using Execute as user = 'limited' in my t-sql to perform the actions that I need.

My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

Thanks
0
Comment
Question by:dilithiumtoys_dot_com
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 57

Expert Comment

by:Raja Jegan R
ID: 34948187
>> My question is, since no password is required when using the "Execute as user" statement, what is to stop a unauthorized user from including this and executing SQL with the rights of the "limited" user?

From BOL:

"Additionally, IMPERSONATE permissions must be granted on the principal. Unless the caller is the database owner, or is a member of the sysadmin fixed server role, the principal must exist even when the user is accessing the database or instance of SQL Server through a Windows group membership."

In order for you to use EXECUTE AS clause, you should have IMPERSONATE rights on the login you are trying to impersonate. Or else you should be part of that particular database owner or sysadmin to perform that activity.
By ensuring this, security is compromised and hope this clarifies.
0
 

Author Comment

by:dilithiumtoys_dot_com
ID: 34982383
Thanks for the reply!

I do get that part. My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?
0
 
LVL 57

Accepted Solution

by:
Raja Jegan R earned 1000 total points
ID: 34985479
>> My question is what is to stop a malicious user who gains control of the account that has been granted the impersonate rights from using those rights him or herself?

If a person has database owner or sysadmin privilege or IMPERSONATE privilege, they would be able to do it..
So, it would be better to grant the above permissions carefully as required
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I'm trying, I really am. But I've seen so many wrong approaches involving date(time) boundaries I despair about my inability to explain it. I've seen quite a few recently that define a non-leap year as 364 days, or 366 days and the list goes on. …
SQL Server engine let you use a Windows account or a SQL Server account to connect to a SQL Server instance. This can be configured immediatly during the SQL Server installation or after in the Server Authentication section in the Server properties …
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
In this video, Percona Solution Engineer Dimitri Vanoverbeke discusses why you want to use at least three nodes in a database cluster. To discuss how Percona Consulting can help with your design and architecture needs for your database and infras…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question