Blog Post

Brief from David Litchfield about Administrator Logins to a Database Server

,

David Litchfield has put out a brief (as

he says it, "It's called a brief because there's enough meat to make it

interesting but not enough to make it a paper 😉 ) on why no one should

log onto a database server (or any server hosting network based

services which use Windows authentication) with administrative rights.

I understand the gist of how the situation can be exploited. However,

from a practicality perspective, this is a problem. I suppose a work

around is to log on as a power user, stop the service, then log on as

an administrator, although if an exploit can get placed on the server,

even this isn't altogether safe. This makes doing things like applying

security patches and the like problematic given that many of the

automated tools do so using a Windows-based login to push a package

down upon the system (Microsoft's WSUS being an exception).

You can find the brief here: http://www.databasesecurity.com/dbsec/db-sec-tokens.pdf

Rate

You rated this post out of 5. Change rating

Share

Share

Rate

You rated this post out of 5. Change rating