Solved

sysadmin risks

Posted on 2014-12-04
3
99 Views
Last Modified: 2014-12-19
1) we are trying to risk assess what the potential issues would be if a malicious user got hold of an account with sysadmin permissions. Every article I read says "anything", but I was hoping someone could give some examples on the type of thing a malicious user could do if they got sysadmin.

2) who genuinely needs sysadmin permissions, what types of task require sysadmin, to help verify if the current assignment is reasonable.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 35

Accepted Solution

by:
Kimputer earned 250 total points
ID: 40480350
1) If a malicious user got sysadmin, they could indeed to everything on the MS SQL server, reading/deleting/writing ALL databases, including system db/user db

2) Only the real sysadmin (or admin group) needs it. The highest of the highest IT or database person.  The rest of the people don't really need it. Even developers don't need it. You just assign the fulll rights to the database they're working on.

If the same password of "sa" is used as the server administrator password, then the malicious user can take over the whole server.
0
 
LVL 50

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 250 total points
ID: 40480425
"anything" means really anything. From deleting, inserting or updating data or creating, deleting and modifying objects or databases to creating or deleting users and changing passwords or stop the SQL Server service or even uninstalling the SQL Server.

That's why who should have sysadmin rules should be only the DBA's. They are the right people to administering and maintaining a SQL Server instance.
0
 
LVL 69

Expert Comment

by:Scott Pletcher
ID: 40481115
When SQL Server checks permissions for a login/user, it first checks for sysadmin authority.  If that authority is present, no other permission checks are ever done, since sysadmin has full authority.  That is why it is "everything" -- SQL will run any command for a sysadmin without any security checks.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction SQL Server Integration Services can read XML files, that’s known by every BI developer.  (If you didn’t, don’t worry, I’m aiming this article at newcomers as well.) But how far can you go?  When does the XML Source component become …
In this article we will learn how to fix  “Cannot install SQL Server 2014 Service Pack 2: Unable to install windows installer msi file” error ?
Familiarize people with the process of utilizing SQL Server functions from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Microsoft Ac…
Familiarize people with the process of retrieving data from SQL Server using an Access pass-thru query. Microsoft Access is a very powerful client/server development tool. One of the ways that you can retrieve data from a SQL Server is by using a pa…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question