Re:Security Hole in SQL 2005 that Garry Pointed Out in Nov Mtg
- Hi Mike,
I'm curious as to why you consider these new groups to be a security hole?
Microsoft's intention is that the groups are a one-stop-shop for giving
certain rights to accounts more easily. For example, to set up a service
account for SQL Server on my laptop (named "Ferdinand" - sorry, no servers
handy), I just have to add a Windows account to
SQLServer2005MSSQLUser$FERDINAND$MSSQLSERVER. I no longer have to make sure
I go into the registry, or use a certain tool, or anything like that - I
just add the account to the group and presto! - all those exotic permissions
that are required for the service account are already there. If you remove
these groups from SQL Server, you may need to do more than just add logins
for the group members - you may need to also grant other OS-level
permissions to the logins. And that's the whole point - by using OS-level
groups, Microsoft has made it possible for us to not have to worry about
OS-level permissions, as these are encapsulated into the group. And they do
it (I believe) in a way that for most implementations would be considered a
best-practice, least-permissions-necessary approach. All for free! :o)
You are an extremely bright guy, so I suspect that I might be missing
something. Feel free to clue me in.... I have a feeling that you might be
saying that if the Windows administrators are allowed to control group
membership to this group, it opens up a vulnerability where one of them can
do Bad Things. But in most cases they can already do Bad Things if they
really want to, by taking over a Windows account with elevated permissions.
Like I said, I think I'm missing something here (and, to be honest about my
biases, I was really glad to see MS implement this feature :o) ), so clue me
in to what youre thinking is.
PS. By default the only member of these groups are the service account
indicated in the group name. So this is different than the
builtin\Administrators group, which automagically gave permission to local
Administrators one and all. This group doesn't automatically give
permissions to anyone except the appropriate service account.