?
Solved

sysadmin risks

Posted on 2014-12-04
3
Medium Priority
?
104 Views
Last Modified: 2014-12-19
1) we are trying to risk assess what the potential issues would be if a malicious user got hold of an account with sysadmin permissions. Every article I read says "anything", but I was hoping someone could give some examples on the type of thing a malicious user could do if they got sysadmin.

2) who genuinely needs sysadmin permissions, what types of task require sysadmin, to help verify if the current assignment is reasonable.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 36

Accepted Solution

by:
Kimputer earned 1000 total points
ID: 40480350
1) If a malicious user got sysadmin, they could indeed to everything on the MS SQL server, reading/deleting/writing ALL databases, including system db/user db

2) Only the real sysadmin (or admin group) needs it. The highest of the highest IT or database person.  The rest of the people don't really need it. Even developers don't need it. You just assign the fulll rights to the database they're working on.

If the same password of "sa" is used as the server administrator password, then the malicious user can take over the whole server.
0
 
LVL 51

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 1000 total points
ID: 40480425
"anything" means really anything. From deleting, inserting or updating data or creating, deleting and modifying objects or databases to creating or deleting users and changing passwords or stop the SQL Server service or even uninstalling the SQL Server.

That's why who should have sysadmin rules should be only the DBA's. They are the right people to administering and maintaining a SQL Server instance.
0
 
LVL 69

Expert Comment

by:Scott Pletcher
ID: 40481115
When SQL Server checks permissions for a login/user, it first checks for sysadmin authority.  If that authority is present, no other permission checks are ever done, since sysadmin has full authority.  That is why it is "everything" -- SQL will run any command for a sysadmin without any security checks.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Using examples as well as descriptions, and references to Books Online, show the different Recovery Models available in SQL Server and explain, as well as show how full, differential and transaction log backups are performed

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question