February 21, 2014 at 1:08 pm
We have just recently noticed that a member of a group who executes sp_defaultdb will have his account added as an individual login with public rights. Our concern, here, is that when we remove this person from the group and assume he/she no longer has access, we would be incorrect.
This is just one example of a system proc where users with public access can execute it and bypass some security measures. Does anyone have a list of others that may be good to revoke permissions from public?
Jared
CE - Microsoft
February 21, 2014 at 4:33 pm
SQLKnowItAll (2/21/2014)
We have just recently noticed that a member of a group who executes sp_defaultdb will have his account added as an individual login with public rights. Our concern, here, is that when we remove this person from the group and assume he/she no longer has access, we would be incorrect.This is just one example of a system proc where users with public access can execute it and bypass some security measures. Does anyone have a list of others that may be good to revoke permissions from public?
I guess I wouldn't blame the security issue on sp_defaultdb because that proc requires the "ALTER ANY LOGIN" to be executed. That's not exactly a PUBLIC priv.
The real problem is in the groups that have been created. I'd suggest a review of the privs given in groups.
--Jeff Moden
Change is inevitable... Change for the better is not.
February 21, 2014 at 5:01 pm
Jeff Moden (2/21/2014)
SQLKnowItAll (2/21/2014)
We have just recently noticed that a member of a group who executes sp_defaultdb will have his account added as an individual login with public rights. Our concern, here, is that when we remove this person from the group and assume he/she no longer has access, we would be incorrect.This is just one example of a system proc where users with public access can execute it and bypass some security measures. Does anyone have a list of others that may be good to revoke permissions from public?
I guess I wouldn't blame the security issue on sp_defaultdb because that proc requires the "ALTER ANY LOGIN" to be executed. That's not exactly a PUBLIC priv.
The real problem is in the groups that have been created. I'd suggest a review of the privs given in groups.
Are you sure about that? 🙂 The group has only Public privileges... Verified. Public has no Login privileges... Verified... Where else could I look? I see what you are saying, but I see something different happening...
Jared
CE - Microsoft
February 22, 2014 at 12:48 pm
while a user might be able to see system procedures, they can't do anything with them due to permissions;
it's easy to test, just create a user.
create user ClarkKent without login
execute as user='ClarkKent'
select * from sys.procedures --nothing to see
select * from sys.all_objects --lots of system stuff, but they don't let
exec sp_defaultdb 'ClarkKent','master'
Msg 15007, Level 16, State 1, Procedure sp_defaultdb, Line 41
'ClarkKent' is not a valid login or you do not have permission.
so if you have a user than can call something, you should check his roles to see what permissions he's inheriting.
was this a windows user?
Lowell
February 22, 2014 at 1:03 pm
Lowell (2/22/2014)
while a user might be able to see system procedures, they can't do anything with them due to permissions;it's easy to test, just create a user.
create user ClarkKent without login
execute as user='ClarkKent'
select * from sys.procedures --nothing to see
select * from sys.all_objects --lots of system stuff, but they don't let
exec sp_defaultdb 'ClarkKent','master'
Msg 15007, Level 16, State 1, Procedure sp_defaultdb, Line 41
'ClarkKent' is not a valid login or you do not have permission.
so if you have a user than can call something, you should check his roles to see what permissions he's inheriting.
was this a windows user?
Yes. A windows user within a Windows group. I'll take a look on Monday and see if there is something I am missing. I suppose there has to be! 😉
Jared
CE - Microsoft
March 19, 2014 at 9:34 am
Yeah, I am looking really hard to find any inherited permissions for this, but I cannot. Again, the scenario is that a Windows Group is added with default, public, permissions. Then as a member of that group, I log in and execute sp_defaultdb 'DOMAIN\mylogin', 'dba_database' and it completes successfully and also I can view the login.
Jared
CE - Microsoft
March 19, 2014 at 9:55 am
Hmm... This works just fine...
CREATE login ClarkKent WITH password = 'P@$$w0rdSr0ngEnough'
execute as login='ClarkKent'
select * from sys.procedures --nothing to see
select * from sys.all_objects --lots of system stuff, but they ALSO let
exec sp_defaultdb 'ClarkKent','master'--or any other database
--REVERT
Thoughts?
Jared
CE - Microsoft
September 9, 2014 at 12:09 pm
I want to bump this up again, as I have proved that an active directory user that is part of an active directory group that has only public permissions can run the below statement and their individual account will be added as a login with public privileges.
Exec sp_defaultdb @loginame='domain\username', @defdb='foo'--where domain\username is a member of an AD group with public permissions
Thoughts?
Jared
CE - Microsoft
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply