Is SQL Server's latest security hole a real threat?

Why Microsoft should pay attention to the latest security threat


Remember, it’s not necessarily as much about gaining more access as much as it’s about impersonating someone else -- which you should never be allowed to do. Also, maybe you’re sys admin on certain boxes only, but this would allow you to gain that same level of rights on other boxes.

Scenario No. 2 This one is even worse because it’s far more likely and more dangerous to cause an unintended privilege violation.

Let’s say you’re a developer, and like many devs, you have sys admin on your dev box. You ask the database administrator to look at something on your box because you are having trouble with a query, would like him to take a backup - or some other ruse of your creation.

Once the database administrator logs on, you’re able to retrieve his password. Now, you not only have sys admin privilegs on all the SQL boxes, you have his log-in, so no one can trace it back to you. If nothing else, you could steal information and nobody would know anything about it. A security audit afterward wouldn’t show anything at all because everyone has the correct rights.

But it gets worse. You don’t have to pose as the database administrator or coax him into coming onto your box to steal his credentials. There are plenty of other credentials you can steal. Let’s say you have a product like Ecora that takes full inventory of your SQL boxes. It’s likely taking inventory of your dev box too, so you can steal that account.

"Recommended For You"

Making a case for virtual patching 5 dysfunctional IT relationships - and how to repair them