Re: Login with no Fixed Server Role and DB Role can stop SQL Agent Service?

From: BP Margolin (bpmargo@attglobal.net)
Date: 08/24/02 

From: "BP Margolin" <bpmargo@attglobal.net>
Date: Sat, 24 Aug 2002 15:14:24 -0400

Richard,

Thanks for the information ... then this is indeed a bug, right :-(

BPM

"Richard Waymire [MS]" <rwaymi_ms@microsoft.com> wrote in message
news:#zszp85SCHA.1864@tkmsftngp12...
> Yup - somehow the user has windows security rights to control services -
we
> just call the win32 APIs to control services as the user.
>
> --
> Richard Waymire, MCSE, MCDBA
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "BP Margolin" <bpmargo@attglobal.net> wrote in message
> news:eYFvP$pSCHA.1644@tkmsftngp08...
> > Johnathen,
> >
> > Well, I'm out of ideas ... sorry ;-(
> >
> > If no one else chimes in, you might consider opening a case with
Microsoft
> > Product Support Services. If it turns out to be a bug in Enterprise
> Manager,
> > then PSS should not charge you.
> >
> > -------------------------------------------
> > BP Margolin
> > Please reply only to the newsgroups.
> > When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.)
which
> > can be cut and pasted into Query Analyzer is appreciated.
> >
> > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > news:e#fkdinSCHA.3552@tkmsftngp08...
> > > BP,
> > >
> > > I guess I didn't clearly specify the rights of the user. The user is
> > holding
> > > a Window 2000 Login with Domain User default permissions, therefore he
> is
> > > not suppose to stop any of the services of my SQL Server 2000.
> > >
> > > Thanks.
> > >
> > > Johnathen
> > >
> > > "BP Margolin" <bpmargo@attglobal.net> wrote in message
> > > news:O$yHp1jSCHA.1496@tkmsftngp11...
> > > > Johnathen,
> > > >
> > > > I did a quick review of this thread, and unless I'm mistaken you
never
> > > > actually answered the question about the permissions the user has
re:
> > the
> > > > operating system. Forget about SQL Server for the moment. What are
the
> > > > permissions for the user's Windows login? Would the user, completely
> > aside
> > > > from Enterprise Manager, be able to successfully issue a "net stop"
> for
> > > the
> > > > SQL Server Agent Services from a command prompt?
> > > >
> > > > -------------------------------------------
> > > > BP Margolin
> > > > Please reply only to the newsgroups.
> > > > When posting, inclusion of SQL (CREATE TABLE ..., INSERT ..., etc.)
> > which
> > > > can be cut and pasted into Query Analyzer is appreciated.
> > > >
> > > > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > > > news:enf0UrZSCHA.1644@tkmsftngp08...
> > > > > BP,
> > > > >
> > > > > As I said, the user uses the limited login to register the SQL
> server
> > on
> > > > his
> > > > > Enterprise Manager, but he is still able to stop the SQL Agent
> > > > Services....
> > > > >
> > > > > Any ideas?
> > > > >
> > > > > Johnathen
> > > > > "BP Margolin" <bpmargo@attglobal.net> wrote in message
> > > > > news:Ov$ZuwTSCHA.3360@tkmsftngp11...
> > > > > > Johnathen,
> > > > > >
> > > > > > Thanks for the additional information.
> > > > > >
> > > > > > Check the login used to register SQL Server within Enterprise
> > Manager
> > > > ...
> > > > > >
> > > > > > Right-click the server name, choose Properties, choose "Edit SQL
> > > Server
> > > > > > Registration properties ..."
> > > > > >
> > > > > > -------------------------------------------
> > > > > > BP Margolin
> > > > > > Please reply only to the newsgroups.
> > > > > > When posting, inclusion of SQL (CREATE TABLE ..., INSERT ...,
> etc.)
> > > > which
> > > > > > can be cut and pasted into Query Analyzer is appreciated.
> > > > > >
> > > > > > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > > > > > news:uKqBGJNSCHA.3736@tkmsftngp11...
> > > > > > > Hi BP,
> > > > > > >
> > > > > > > Sorry for the lack of exact information. This restricted user
is
> > > > suppose
> > > > > > to
> > > > > > > connect thru the SQL Server by means of SQL Client Tools and
> > > > > Connectivity.
> > > > > > > He will use Enterprise Manager to execute the DTS package. We
> > found
> > > > out
> > > > > > > that, he is able to stop the SQL Agent Service by going into
> > > > Enterprise
> > > > > > > Manager, right-clicking the SQL Agent Service, and stop it.
This
> > > user
> > > > is
> > > > > > > holding a SQL login, and is not holding any Windows 2000 login
> in
> > > the
> > > > > SQL
> > > > > > > Server.
> > > > > > >
> > > > > > > Any ideas?
> > > > > > >
> > > > > > > Johnathen
> > > > > > >
> > > > > > > "BP Margolin" <bpmargo@attglobal.net> wrote in message
> > > > > > > news:O8PQ$jLSCHA.1648@tkmsftngp08...
> > > > > > > > Johnathen,
> > > > > > > >
> > > > > > > > You might indicate in the future the exact process by which
> the
> > > user
> > > > > is
> > > > > > > able
> > > > > > > > to stop the SQL Server Agent service.
> > > > > > > >
> > > > > > > > It sorta sounds as if you are mixing SQL Server permissions
> with
> > > > that
> > > > > of
> > > > > > > the
> > > > > > > > operating system.
> > > > > > > > Stopping a service ... regardless if it is the SQL Agent
> > service,
> > > or
> > > > > any
> > > > > > > > other ... is a function of the rights of the user defined on
> the
> > > > > > operating
> > > > > > > > system.
> > > > > > > >
> > > > > > > > To express this another way ... the SA is god within SQL
> Server,
> > > > > right.
> > > > > > > > Well, unless the SA has the requisite operating system
> > > permissions,
> > > > > the
> > > > > > SA
> > > > > > > > can NOT start the SQL Server service. (BTW, just to
completely
> > > > > accurate,
> > > > > > > the
> > > > > > > > SA can stop SQL Server via the SHUTDOWN command, even if the
> SA
> > > > would
> > > > > > not
> > > > > > > > normally have the operating system permissions to stop the
SQL
> > > > Server
> > > > > > > > service.)
> > > > > > > >
> > > > > > > > Review the operating system rights granted the user.
> > > > > > > >
> > > > > > > > -------------------------------------------
> > > > > > > > BP Margolin
> > > > > > > > Please reply only to the newsgroups.
> > > > > > > > When posting, inclusion of SQL (CREATE TABLE ..., INSERT
...,
> > > etc.)
> > > > > > which
> > > > > > > > can be cut and pasted into Query Analyzer is appreciated.
> > > > > > > >
> > > > > > > > "Johnathen Liew" <johnliew@rocketmail.com> wrote in message
> > > > > > > > news:uvvEeaLSCHA.1756@tkmsftngp11...
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > We have a scenerio, where we need to create a DTS package,
> > which
> > > > is
> > > > > > run
> > > > > > > by
> > > > > > > > a
> > > > > > > > > designated user. This user should have no other rights
other
> > > than
> > > > > > > running
> > > > > > > > > the DTS package. We created a login, with no Fixed Server
> > Roles
> > > > and
> > > > > no
> > > > > > > > > Database Roles. This user is able to execute the package,
> but
> > he
> > > > is
> > > > > > able
> > > > > > > > to
> > > > > > > > > stop the SQL Agent services as well, which is bad, but he
> > cannot
> > > > > > > > drop/create
> > > > > > > > > tables, which is good.
> > > > > > > > >
> > > > > > > > > Is this a SQL Server bug? Any idea anyone?
> > > > > > > > >
> > > > > > > > > We are using SQL Server 2000 Enterprise Edition with SP2.
> > > > > > > > >
> > > > > > > > > Thanks
> > > > > > > > > Johnathen Liew
> > > > > > > > >
> > > > > > > > > "Donna Lambert [MS]" <dlambert@online.microsoft.com> wrote
> in
> > > > > message
> > > > > > > > > news:I0wk$8URCHA.2468@cpmsftngxa06...
> > > > > > > > > > Adrian,
> > > > > > > > > > Seems like it would be much simpler to password protect
> your
> > > dts
> > > > > > > > packages.
> > > > > > > > > > Just a suggestion.
> > > > > > > > > > Donna Lambert
> > > > > > > > > > Microsoft SQL Server Support
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Disclaimer:
> > > > > > > > > > This posting is provided "AS IS" with no warranties, and
> > > confers
> > > > > no
> > > > > > > > > rights.
> > > > > > > > > >
> > > > > > > > > > Are you secure? For information about the Microsoft
> > Strategic
> > > > > > > Technology
> > > > > > > > > > Protection Program and to order your FREE Security Tool
> Kit,
> > > > > please
> > > > > > > > visit
> > > > > > > > > > http://www.microsoft.com/security.
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > Recent viruses on the Internet underscore the threat to
> all
> > > > > computer
> > > > > > > > users
> > > > > > > > > > and highlight challenges facing the entire industry in
> > > providing
> > > > > > > > security
> > > > > > > > > > that everyone needs to conduct business. I encourage you
> to
> > > sign
> > > > > up
> > > > > > to
> > > > > > > > > > receive automatic notification of Microsoft Security
> > Bulletins
> > > > by
> > > > > > > > visiting
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
>
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
> > > > > > > > > > bulletin/notify.asp. For more information on security,
our
> > > > > Strategic
> > > > > > > > > > Technology Protection Program and to order your FREE
> > Security
> > > > Tool
> > > > > > > Kit,
> > > > > > > > > > please visit http://www.microsoft.com/security. We will
be
> > > happy
> > > > > to
> > > > > > > > answer
> > > > > > > > > > any questions or provide assistance with your security
> > needs.
> > > > > > > > > >
> > > > > > > > > > --------------------
> > > > > > > > > > | Content-Class: urn:content-classes:message
> > > > > > > > > > | From: "Adrian" <adrianw@persoft.com.my>
> > > > > > > > > > | Sender: "Adrian" <adrianw@persoft.com.my>
> > > > > > > > > > | Subject: DTS Security
> > > > > > > > > > | Date: Thu, 15 Aug 2002 20:29:53 -0700
> > > > > > > > > > | Lines: 8
> > > > > > > > > > | Message-ID:
> <2d4401c244d5$2fa91c50$35ef2ecf@TKMSFTNGXA11>
> > > > > > > > > > | MIME-Version: 1.0
> > > > > > > > > > | Content-Type: text/plain;
> > > > > > > > > > | charset="iso-8859-1"
> > > > > > > > > > | Content-Transfer-Encoding: 7bit
> > > > > > > > > > | X-Newsreader: Microsoft CDO for Windows 2000
> > > > > > > > > > | X-MimeOLE: Produced By Microsoft MimeOLE
V5.50.4910.0300
> > > > > > > > > > | Thread-Index: AcJE1S+pE2PllW9uQampwdIwCabugg==
> > > > > > > > > > | Newsgroups: microsoft.public.sqlserver.security
> > > > > > > > > > | Path: cpmsftngxa06
> > > > > > > > > > | Xref: cpmsftngxa06
> > microsoft.public.sqlserver.security:7577
> > > > > > > > > > | NNTP-Posting-Host: TKMSFTNGXA11 10.201.226.39
> > > > > > > > > > | X-Tomcat-NG: microsoft.public.sqlserver.security
> > > > > > > > > > |
> > > > > > > > > > | Hi,
> > > > > > > > > > | I want to create a user id where this id can only
run
> > > > > > > > > > | DTS. Other function like starting of the SQL Agent,
> backup
> > > > > > > > > > | database should not be given access right. Could
anyone
> > > > > > > > > > | help what type rights should i assign to this userid.
> > > > > > > > > > |
> > > > > > > > > > | Thanks
> > > > > > > > > > | Adrian
> > > > > > > > > > |
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Question about FileDialog Permission
    ... This posting is provided "AS IS" with no warranties, and confers no rights. ... But now I know that there is a bug so I at least know that my ... >> you shouldn't be depending on FileDialogPermission to protect files, ... >> user-specified files when FileIOPermission is not granted.". ...
    (microsoft.public.dotnet.security)
  • Re: Login with no Fixed Server Role and DB Role can stop SQL Agent Service?
    ... Only if the user really doesn't have rights - but in all honesty I'd bet ... money the user does have the rights to control services granted somehow. ... >> Server, ...
    (microsoft.public.sqlserver.security)
  • Re: OpenVMS - When downtime is not an option
    ... elevated rights on the system, does sit matter if it is an application ... Clearly, that would be an OS bug - *if* it had been the case in this instance. ... "An attacker who successfully exploited this vulnerability could take complete control of the affected system. ...
    (comp.os.vms)
  • Re: OpenVMS - When downtime is not an option
    ... application bug to provide access to protected data and/or provides ... elevated rights on the system, does sit matter if it is an application ... "An attacker who successfully exploited this vulnerability could take ...
    (comp.os.vms)
  • Re: Bug in CE Web service
    ... I have confirmed this is a bug. ... confers no rights. ... >>John Spaith ... >>Microsoft Corporation ...
    (microsoft.public.windowsce.app.development)