Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin.
\nMatt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA.
\nMsdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.<\/p>\n
SQLAgentOperator give you the right to execute all job even if it runs under sysadmin.
\nIf your SQL Server DBA grant your login as a member of this role and if a job runs a Stored Procedure what you are able to modify you are the master of the box as you can grant your login as sysadmin.<\/p>\n
The goal here is to ask you DBA to create a Stored Procedure with as parameter a job name in order to simplify process because you need to run several different jobs<\/p>\n
Procedure like that:<\/p>\n
USE msdb\nGO\nCREATE PROC dbo.sp_run_job\n @name varchar(500)\n WITH EXECUTE AS OWNER\nAS\n exec sp_start_job @job_name = @name<\/pre>\nWith this kind of Stored Procedure you can do whatever you want on the server.<\/p>\n
Linked Server Elevated privilege<\/h2>\n
If you have a linked server that logins into a foreign server with a sysadmin account, ask you DBA to enable RPC out for the linked server for a good reason like decrease the stress on both servers.
\nIf you DBA does the job you can execute this kind of script:<\/p>\nEXEC(\u2018Alter server role sysadmin add member [adsts]\u2019) at linked_Server1<\/pre>\nNice not?<\/p>\n
I need a sandbox database that I\u2019m DBO on<\/h2>\n
The goal for this one is to convince your DBA to create for you a sandbox database on a production server for a good reason like working with production data (a good reason?)\u2026
\nOnce done ask him to schedule a Stored Procedure you wrote on a daily basis.
\nIf he does is just alter you Stored Procedure with the following code:<\/p>\nALTER SERVER ROLE SYSADMIN ADD MEMBER [adsts]<\/pre>\nAnother way to become quickly sysadmin!<\/p>\n
Xp_cmdshell to take over the box<\/h2>\n
Xp_cmdshell is running under SQL Server service account which often is Local admin of the box.
\nAsk your DBA to grant you permissions to xp_cmdshell and argue that you need to delete some files after importing them on the server.
\nIf the account that runs SQL Server is a local Administrator, you can add your account as an Administrator of the server and whatever you want\u2026<\/p>\nEXEC xp_cmdshell \u2018net localgroup administrators adsts \/add\u2019<\/pre>\nOups\u2026<\/p>\n
How to close Loopholes<\/h2>\n
Never enable a business user for SQLServerOperator role.
\nNever use SA or another sysadmin account for linked server but set it to a reader login with minimum permission.
\nNever schedule a job that calls a SP where business user has alter access to.
\nNever allow a parameterized job call in MSDB, always hardcode the job name to avoid modification of this job name.<\/p>\nJust give the necessary permission!
\nCreate a server trigger which send an Email to DBA when somebody becomes sysadmin on the instance. Like that DBA can look at this new account immediately and see if somebody tries to squeeze the system.<\/p>\n","protected":false},"excerpt":{"rendered":"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s […]<\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[229],"tags":[1205,1206,25,51],"type_dbi":[],"class_list":["post-10615","post","type-post","status-publish","format-standard","hentry","category-database-administration-monitoring","tag-bypass-security","tag-pass-summit-2017","tag-security","tag-sql-server"],"acf":[],"yoast_head":"\n
Pass Summit 2017: how to bypass SQL Server security - dbi Blog<\/title>\n<meta name=\"description\" content=\"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Pass Summit 2017: how to bypass SQL Server security\" \/>\n<meta property=\"og:description\" content=\"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\" \/>\n<meta property=\"og:site_name\" content=\"dbi Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-11-06T14:49:13+00:00\" \/>\n<meta name=\"author\" content=\"St\u00e9phane Savorgnano\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"St\u00e9phane Savorgnano\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\"},\"author\":{\"name\":\"St\u00e9phane Savorgnano\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/b6bce7d75118b35bdb3b439ad6a9ca3c\"},\"headline\":\"Pass Summit 2017: how to bypass SQL Server security\",\"datePublished\":\"2017-11-06T14:49:13+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\"},\"wordCount\":515,\"commentCount\":0,\"keywords\":[\"bypass security\",\"Pass Summit 2017\",\"Security\",\"SQL Server\"],\"articleSection\":[\"Database Administration & Monitoring\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\",\"name\":\"Pass Summit 2017: how to bypass SQL Server security - dbi Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\"},\"datePublished\":\"2017-11-06T14:49:13+00:00\",\"author\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/b6bce7d75118b35bdb3b439ad6a9ca3c\"},\"description\":\"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.dbi-services.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Pass Summit 2017: how to bypass SQL Server security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#website\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/\",\"name\":\"dbi Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/b6bce7d75118b35bdb3b439ad6a9ca3c\",\"name\":\"St\u00e9phane Savorgnano\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/88d2a790f775c52c1012ec644d883431da758f2cbcfc16067ade04d2ef625ef5?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/88d2a790f775c52c1012ec644d883431da758f2cbcfc16067ade04d2ef625ef5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/88d2a790f775c52c1012ec644d883431da758f2cbcfc16067ade04d2ef625ef5?s=96&d=mm&r=g\",\"caption\":\"St\u00e9phane Savorgnano\"},\"description\":\"St\u00e9phane Savorgnano has more than fifteen years of experience in Microsoft software development and in SQL Server database solutions. He is specialized in SQL Server installation, performance analysis, best practices, etc. St\u00e9phane Savorgnano is Microsoft Certified Solutions Associate (MCSA) and\u00a0Microsoft Certified Solutions Expert (MCSE) for SQL Server 2012. He is also Microsoft Certified Technology Specialist (MCTS) and Microsoft Certified IT Professional (MCITP) for SQL Server 2008 as well as ITIL Foundation V3 certified. Prior to joining dbi services, he was software engineer at Ciba Specialty Chemicals in Basel. St\u00e9phane Savorgnano holds a Master of Informatics from Mulhouse University (F). His branch-related experience covers Banking \/ Financial Services, Chemicals & Pharmaceuticals, etc.\",\"url\":\"https:\/\/www.dbi-services.com\/blog\/author\/stephane-savorgnano\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Pass Summit 2017: how to bypass SQL Server security - dbi Blog","description":"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/","og_locale":"en_US","og_type":"article","og_title":"Pass Summit 2017: how to bypass SQL Server security","og_description":"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.","og_url":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/","og_site_name":"dbi Blog","article_published_time":"2017-11-06T14:49:13+00:00","author":"St\u00e9phane Savorgnano","twitter_card":"summary_large_image","twitter_misc":{"Written by":"St\u00e9phane Savorgnano","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#article","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/"},"author":{"name":"St\u00e9phane Savorgnano","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/b6bce7d75118b35bdb3b439ad6a9ca3c"},"headline":"Pass Summit 2017: how to bypass SQL Server security","datePublished":"2017-11-06T14:49:13+00:00","mainEntityOfPage":{"@id":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/"},"wordCount":515,"commentCount":0,"keywords":["bypass security","Pass Summit 2017","Security","SQL Server"],"articleSection":["Database Administration & Monitoring"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/","url":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/","name":"Pass Summit 2017: how to bypass SQL Server security - dbi Blog","isPartOf":{"@id":"https:\/\/www.dbi-services.com\/blog\/#website"},"datePublished":"2017-11-06T14:49:13+00:00","author":{"@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/b6bce7d75118b35bdb3b439ad6a9ca3c"},"description":"Last Friday I saw a very interesting session in Pass Summit 2017 about how to Bypass, or Ensure, SQL Server security by Matt Martin. Matt explained us how to bypass SQL Server security with the complicity of your SQL Server DBA. Msdb is the most powerful database to get stuff done: mail, jobs\u2026 so let\u2019s have a look how to take the power within a SQL Server instance.","breadcrumb":{"@id":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.dbi-services.com\/blog\/pass-summit-2017-how-to-bypass-sql-server-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.dbi-services.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Pass Summit 2017: how to bypass SQL Server security"}]},{"@type":"WebSite","@id":"https:\/\/www.dbi-services.com\/blog\/#website","url":"https:\/\/www.dbi-services.com\/blog\/","name":"dbi Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.dbi-services.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.dbi-services.com\/blog\/#\/schema\/person\/b6bce7d75118b35bdb3b439ad6a9ca3c","name":"St\u00e9phane Savorgnano","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/88d2a790f775c52c1012ec644d883431da758f2cbcfc16067ade04d2ef625ef5?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/88d2a790f775c52c1012ec644d883431da758f2cbcfc16067ade04d2ef625ef5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/88d2a790f775c52c1012ec644d883431da758f2cbcfc16067ade04d2ef625ef5?s=96&d=mm&r=g","caption":"St\u00e9phane Savorgnano"},"description":"St\u00e9phane Savorgnano has more than fifteen years of experience in Microsoft software development and in SQL Server database solutions. He is specialized in SQL Server installation, performance analysis, best practices, etc. St\u00e9phane Savorgnano is Microsoft Certified Solutions Associate (MCSA) and\u00a0Microsoft Certified Solutions Expert (MCSE) for SQL Server 2012. He is also Microsoft Certified Technology Specialist (MCTS) and Microsoft Certified IT Professional (MCITP) for SQL Server 2008 as well as ITIL Foundation V3 certified. Prior to joining dbi services, he was software engineer at Ciba Specialty Chemicals in Basel. St\u00e9phane Savorgnano holds a Master of Informatics from Mulhouse University (F). His branch-related experience covers Banking \/ Financial Services, Chemicals & Pharmaceuticals, etc.","url":"https:\/\/www.dbi-services.com\/blog\/author\/stephane-savorgnano\/"}]}},"_links":{"self":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10615","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/comments?post=10615"}],"version-history":[{"count":0,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/posts\/10615\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/media?parent=10615"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/categories?post=10615"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/tags?post=10615"},{"taxonomy":"type","embeddable":true,"href":"https:\/\/www.dbi-services.com\/blog\/wp-json\/wp\/v2\/type_dbi?post=10615"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}