Secure Checks

Question

Secure Checks

Viewing 2 posts - 16 through 16 (of 16 total)

You must be logged in to reply to this topic. Login to reply

robert.diley SSC Eights! Points: 860 More actions · Answer 1

Eric Prévost (3/25/2015)
SETUSER WITH NORESET doesn't prevent anything in SSMS.
After doing the SETUSER, the developer may not be able to do a SETUSER to revert back to sysadmin permisions, but he can right-click in the query window and select "Open server in object explorer". He would automatically get a new connection with sysadmin security context.
The question explicitly mention SSMS. Considering this, the answer should be that there is no way to prevent it.

I see your point here, although I don't reach the same conclusion. Doesn't this turn on what credentials the object browser is using? Assuming that the sysadmin came along and found that the dev had already started SSMS authenticating to this instance with the dev's credentials, the posted answer should stand. But this is not stated in the question: for all we know it has sysadmin creds. Therefore, without rejecting the answer, I now think that the question is incomplete.

Eric Prévost Ten Centuries Points: 1308 More actions · Answer 2

robert.diley (3/26/2015)
I see your point here, although I don't reach the same conclusion. Doesn't this turn on what credentials the object browser is using? Assuming that the sysadmin came along and found that the dev had already started SSMS authenticating to this instance with the dev's credentials, the posted answer should stand. But this is not stated in the question: for all we know it has sysadmin creds. Therefore, without rejecting the answer, I now think that the question is incomplete.

I did this test:

1. I created a standard login, and added it to sysadmin role.

2. In a query window, I right-clicked and chose "change connection" to reconnect using the just created login

3. In Object explorer, I closed all connections

4. I did a SETUSER 'user_login' WITH NORESET (user_login is a non-privileged account)

5. SELECT USER_NAME() to confirm SETUSER worked

6. Right-click in query window and selected "open server in object explorer"

Result: a new conection in the object explorer with the login created and used in steps 1 and 2 with full sysadmin access, not the Windows account running SSMS.