Loading ...
Sorry, an error occurred while loading the content.

Re:Security Hole in SQL 2005 that Garry Pointed Out in Nov Mtg

Expand Messages
  • Chris Leonard
    Hi Mike, I m curious as to why you consider these new groups to be a security hole? Microsoft s intention is that the groups are a one-stop-shop for giving
    Message 1 of 2 , Dec 1, 2007
    • 0 Attachment
      Hi Mike,

      I'm curious as to why you consider these new groups to be a security hole?
      Microsoft's intention is that the groups are a one-stop-shop for giving
      certain rights to accounts more easily. For example, to set up a service
      account for SQL Server on my laptop (named "Ferdinand" - sorry, no servers
      handy), I just have to add a Windows account to
      SQLServer2005MSSQLUser$FERDINAND$MSSQLSERVER. I no longer have to make sure
      I go into the registry, or use a certain tool, or anything like that - I
      just add the account to the group and presto! - all those exotic permissions
      that are required for the service account are already there. If you remove
      these groups from SQL Server, you may need to do more than just add logins
      for the group members - you may need to also grant other OS-level
      permissions to the logins. And that's the whole point - by using OS-level
      groups, Microsoft has made it possible for us to not have to worry about
      OS-level permissions, as these are encapsulated into the group. And they do
      it (I believe) in a way that for most implementations would be considered a
      best-practice, least-permissions-necessary approach. All for free! :o)

      You are an extremely bright guy, so I suspect that I might be missing
      something. Feel free to clue me in.... I have a feeling that you might be
      saying that if the Windows administrators are allowed to control group
      membership to this group, it opens up a vulnerability where one of them can
      do Bad Things. But in most cases they can already do Bad Things if they
      really want to, by taking over a Windows account with elevated permissions.
      Like I said, I think I'm missing something here (and, to be honest about my
      biases, I was really glad to see MS implement this feature :o) ), so clue me
      in to what youre thinking is.

      Cheers,
      Chris

      PS. By default the only member of these groups are the service account
      indicated in the group name. So this is different than the
      builtin\Administrators group, which automagically gave permission to local
      Administrators one and all. This group doesn't automatically give
      permissions to anyone except the appropriate service account.
    Your message has been successfully submitted and would be delivered to recipients shortly.