Prevent users from impersonating sysadmin using runas /netonly

  • So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:

    runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

    So the only thing that is needed to run as a sysadmin is to know the users' login?

    How is this possible and how do I prevent it?

  • robbase9 (7/25/2012)


    So I just learned that some of our users are using a VM to impersonate a sysadmin and logging into SSMS using the command:

    runas /netonly /user:domain\username “C:\Program Files (x86)\Microsoft SQL Server\100\Tools\Binn\VSShell\Common7\IDE\Ssms.exe”

    So the only thing that is needed to run as a sysadmin is to know the users' login?

    How is this possible and how do I prevent it?

    runas will prompt for the password of the account specified after /user:, i.e. whomever is using runas to open SSMS also muct know the password for domain\username in order to launch SSMS. Try it yourself.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • Does your company have an IT security policy? If so, does it say anything about using other people's logins without their permission?

    Company I used to work for had such a security policy and what you describe there was a dismissable offence.

    Gail Shaw
    Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)
    SQL In The Wild: Discussions on DB performance with occasional diversions into recoverability

    We walk in the dark places no others will enter
    We stand on the bridge and no one may pass
  • To prevent someone from logging on with your account follow these three guidelines:

    - Don't share your password with anyone.

    - Don't write your password down somewhere where someone else can read it.

    - Change your password regularly.

    Also note you can restrict a user account to log on only specific computer in Active Directory(AD). You can also grant or deny users and group log on permissions in the computer's security policy, which can be distibuted from AD using a Group Policy Object(GPO).

  • Oh, you have to have the password too. That sounds better. That just means they're sharing passwords, which is a different matter.

    Thanks, guys or gals.

Viewing 5 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic. Login to reply