SQLBits 2023

Don’t Let Your Permissions Be Hijacked!

Learn how malicious users can lure a power user such as sysadmin to run code that performs action to the benefit of the evil user by something I call permission hijacking and what means you can take to prevent this from happening.
You are sysadmin on a production server, and on this server, there are databases where there are users with power permissions such as the db_owner or db_ddladmin roles. They have no server-level permissions, but there may rogues who want to perform actions beyond what their own permissions allow them to. One they can achieve this is to have you to unknowingly run code that perform these actions, using your almighty permissions – or by another word hijacking them. For instance, if you have set up a reindexing job for all databases, this is a great opportunity for permission hijacking.

Not only sysadmin can be the victim of such attacks, but a developer who has permissions to create stored procedures and triggers can attack a user who is in the db_owner role to extend his or her permission in the database. Or a plain user with only read-only permission in databases A and B can be attacked by a developer in database B who want to steal data from A.

In this session I will discuss some of the possible attacks on this theme and what means you can take to protect yourself against them. This includes some best practices for Agent jobs.