Session

Don’t Let Your Permissions Be Hijacked!

You are sysadmin on a production server, and on this server, there are databases where there are users with power permissions such as the db_owner or db_ddladmin roles. They have no server-level permissions, but there may be rogues who want to perform actions beyond what their own permissions allow them to. One they can achieve this is to have you to unknowingly run code that perform these actions, using your almighty permissions – or by another word hijacking them. For instance, if you have set up a reindexing job for all databases, this is a great opportunity for permission hijacking.

Not only sysadmin can be the victim of such attacks, but a developer who has permissions to create stored procedures and triggers can attack a user who is in the db_owner role to extend his or her permission in the database.

In this session I will discuss some of the possible attacks on this theme and what means you can take to protect yourself against them. This includes some best practices for Agent jobs.

Erland Sommarskog

Erland Sommarskog SQL-Konsult AB

Stockholm, Sweden

Actions

Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.

Jump to top