Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

sysadmin risks

Posted on 2014-12-04
3
Medium Priority
?
109 Views
Last Modified: 2014-12-19
1) we are trying to risk assess what the potential issues would be if a malicious user got hold of an account with sysadmin permissions. Every article I read says "anything", but I was hoping someone could give some examples on the type of thing a malicious user could do if they got sysadmin.

2) who genuinely needs sysadmin permissions, what types of task require sysadmin, to help verify if the current assignment is reasonable.
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 36

Accepted Solution

by:
Kimputer earned 1000 total points
ID: 40480350
1) If a malicious user got sysadmin, they could indeed to everything on the MS SQL server, reading/deleting/writing ALL databases, including system db/user db

2) Only the real sysadmin (or admin group) needs it. The highest of the highest IT or database person.  The rest of the people don't really need it. Even developers don't need it. You just assign the fulll rights to the database they're working on.

If the same password of "sa" is used as the server administrator password, then the malicious user can take over the whole server.
0
 
LVL 52

Assisted Solution

by:Vitor Montalvão
Vitor Montalvão earned 1000 total points
ID: 40480425
"anything" means really anything. From deleting, inserting or updating data or creating, deleting and modifying objects or databases to creating or deleting users and changing passwords or stop the SQL Server service or even uninstalling the SQL Server.

That's why who should have sysadmin rules should be only the DBA's. They are the right people to administering and maintaining a SQL Server instance.
0
 
LVL 70

Expert Comment

by:Scott Pletcher
ID: 40481115
When SQL Server checks permissions for a login/user, it first checks for sysadmin authority.  If that authority is present, no other permission checks are ever done, since sysadmin has full authority.  That is why it is "everything" -- SQL will run any command for a sysadmin without any security checks.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A Stored Procedure in Microsoft SQL Server is a powerful feature that it can be used to execute the Data Manipulation Language (DML) or Data Definition Language (DDL). Depending on business requirements, a single Stored Procedure can return differe…
When trying to connect from SSMS v17.x to a SQL Server Integration Services 2016 instance or previous version, you get the error “Connecting to the Integration Services service on the computer failed with the following error: 'The specified service …
Via a live example combined with referencing Books Online, show some of the information that can be extracted from the Catalog Views in SQL Server.
Viewers will learn how to use the INSERT statement to insert data into their tables. It will also introduce the NULL statement, to show them what happens when no value is giving for any given column.

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question