Today morning I was working on one of the server to complete the regular documentation of security audit with details of logins with sysadmin rights and their access to various database. Later I have realized that, one login has access to all database but it is not captured by my auditing script. Here comes the culprit , the CONTROL SERVER rights.
By default CONTROL SERVER rights is equivalent to sysadmin permission except the fact that logins with CONTROL SERVER rights will honor the explicitly denied server level permission where the members of sysadmin server role bypass the explicitly denied server level permission. Also note that logins with control server permission will have implicit access to the databases like the sysadmin members and database owners.
Logins with control server rights will not have mapping entry in the sys.database_principals but it will have access to all databases. The worst part is, logins with CONROL SERVER permission are not easy to find out unless you prepare explicit query. It is not listed in the UI of SSMS or there is no system procedure like sp_helpsrvrolemember to list the logins with CONTROL SERVER right.
Let us walk through a sample script. Create two logins using the below script
CREATE login SysadminLogin WITH password ='password123~'GOCREATE login controlserverlogin WITH password ='password123~'GOEXEC sp_addsrvrolemember 'SysadminLogin','sysadmin'GOGRANT control server TO controlserverlogin Now log in to the server using the controlserverlogin and you can access all the databases and perform any actions. Let us see what will happen on explicitly denying the server level permission.DENY VIEW ANY DATABASE TO controlserverlogin
GODENY VIEW ANY DATABASE TO sysadminlogin
GO
Now log in to the server using both the login. You can notice that, in the session that connected with the controlserverlogin will list only Master and Tempdb databases while the session connected with sysadminlogin will list all available databases.
The other potential issue with logins having control server right is , they can add them self to the sysadmin server role or can create a new login with membership to the sysadmin server role. Fortunately it is not possible to do it in straight forward steps. Let us see how it will work .Connect to the server using the controlserverlogin and execute the below scripts
/* Fortunately this will fail */ EXEC sp_addsrvrolemember 'controlserverlogin','sysadmin';GO/* Unfortunately this will work even if sa account is disabled*/EXECUTE AS LOGIN = 'sa';GOEXEC sp_addsrvrolemember 'controlserverlogin','sysadmin';GO
REVERT;
Now the controlserverlogin has sysadmin role membership and you can see all available databases.
Below script list the logins with sysadmin role membership and control server permission.
If you liked this post, do like my page on FaceBook at http://www.facebook.com/practicalSqlDba
Below script list the logins with sysadmin role membership and control server permission.
/* List login with membership to Sysadmin server role and Control Server right*/SELECT p.[name] [Login], 'sysadmin Role Member' [Access] ,p.type_desc AS loginTypeFROM sys.server_principals p
JOIN sys.server_role_members RM
ON p.principal_id = rm.member_principal_id
JOIN sys.server_principals rp
ON rm.role_principal_id = rp.principal_id WHERE rp.NAME = 'sysadmin' UNION ALL SELECT p.[name], 'Control Server Right' ,p.type_desc AS loginTypeFROM sys.server_principals p
JOIN sys.server_permissions Sp
ON p.principal_id = sp.grantee_principal_id WHERE sp.class = 100
AND sp.[type] = 'CL'
AND state = 'G' GO
Below script will help to list the explicitly denied server level permission for logins which have control server permission.
/* List Explicitly denied permission for the login that has control server permission*/SELECT CSL.*,sp.permission_name [Explicitly Denied Permission] FROM sys.server_permissions SP INNER JOIN (SELECT p.principal_id ,p.[name], p.type_desc AS loginTypeFROM sys.server_principals p
JOIN sys.server_permissions Sp
ON p.principal_id = sp.grantee_principal_id WHERE sp.class = 100
AND sp.[type] = 'CL'
AND state = 'G' ) CSL ON CSL.principal_id = sp.grantee_principal_id
WHERE state ='D'
If you liked this post, do like my page on FaceBook at http://www.facebook.com/practicalSqlDba
you can get round this with the following:
ReplyDeleteDENY IMPERSONATE ON LOGIN::sa TO [controlserverlogin]
công kích của ba người đã cố hết sức, mà bây giờ còn có một con Ma thú bậc bảy, hắn căn bản là không thể chống lại.
Delete- Âu Dương Thời, ngươi thật là vô sỉ, thỉnh giúp đỡ.
đồng tâm
game mu
cho thuê nhà trọ
cho thuê phòng trọ
nhac san cuc manh
số điện thoại tư vấn pháp luật miễn phí
văn phòng luật
tổng đài tư vấn pháp luật
dịch vụ thành lập công ty trọn gói
http://we-cooking.com/
chém gión Song Dương ánh mắt hung hăng chăm chú nhìn Âu Dương Thời mắng, nhìn một nhị tinh Đấu Tông đã bị giết, lòng của hắn cũng nhỏ máu, vốn hắn thân vẫn chỉ là nhất tinh Đấu Tông, tại Âu Dương Thắng công kích cũng cực kỳ nguy hiểm.
- An Song Dương, đây cũng không phải là ta thỉnh giúp đỡ, mà là con rể ta, cũng là Linh Cảnh tông Khách Tọa trưởng lão, coi như là người của Linh Cảnh tông ta.
Âu Dương Thời mỉm cười, hắn cũng không nói sai, theo đạo lý mà nói, Nhạc Thành thế nào cũng có quan hệ với Linh Cảnh tông.
- Chết đi.
Giữa không trung Tử Điện Mãng hét lớn một tiếng, thừa dịp ngũ tinh Đấu Tông bị Yêu Cơ cùng Thông Thiên Thử đánh lui, trong tay một mảnh cuồng bạo vô
You managed to hit the nail upon the top and also defined out the whole thing without having side effect , people could take a signal. Will likely be back to get more. Thanks
DeleteTangki Panel
Tangki Fiberglass
Jual Septic Tank
Security testing is must. Everybody wants security at every level of his working. as explained above failures are happened but if we test time to time then it will improve. So it depend on us how much we are serious about this.
DeleteSecure Cooperative Communications With an Untrusted Relay A NOMA Inspired Jamming and Relaying Approach Project For CSE
Secure Detection of Image Manipulation by means of Random Feature Selection Project For CSE
Stealing Passwords by Observing Hands Movement Project For CSE
Stripped Functionality Logic Locking with Hamming Distance Based Restore Unit (SFLL hd)– Unlocked Project For CSE
Understanding the Related Key Security of Feistel Ciphers from a Provable Perspective Project For CSE
Universally Composable Key Bootstrapping and Secure Communication Protocols for the Energy Internet Project For CSE
vEPC sec Securing LTE Network Functions Virtualization on Public Cloud Project For CSE
ReplyDeleteThanks for posting this useful content, Good to know about new things here, Let me share this, . LINUX training in pune
ReplyDeleteI loved the way you discuss the topic great work thanks for the share, Let me share this, Hadoop training in pune
Amazing article. Thanx :-) Amiclubwear Coupon Code
Deleteشركة المتحدة
ReplyDeleteدليل شركات نقل العفش
شركة نقل اثاث بالمدينة المنورة
شركة نقل اثاث بالرياض
شركة نقل اثاث بجدة
شركة نقل اثاث بمكة
ReplyDeleteشركة نقل اثاث بالطائف
شركة نقل اثاث بينبع
شركة نقل اثاث بالدمام
شركة نقل اثاث بنجران
شركة نقل اثاث بابها
ReplyDeleteشركة نقل اثاث بحائل
شركة نقل اثاث ببريدة
شركة نقل اثاث بالقصيم
شركة نقل اثاث بحفر الباطن
The best thing is that your blog really informative thanks for your great information!
ReplyDeletecashew nuts suppliers and exporters in dubai
A4 paper suppliers and exporters in dubai
I like the post format as you create user engagement in the complete article. It seems round up of all published posts. Thanks for gauging the informative posts.
ReplyDeletecara menggugurkan kandungan
Thanks for sharing amazing information !!!!!!
ReplyDeletePlease keep up sharing.
This curiosity you describe is fantastic
ReplyDeletehttps://instagramcaptions.me
ReplyDeletefunny instagram captions
instagram captions for friends
birthday wishes
Thank you for sharing valuable information. Nice post. I enjoyed reading this post...
ReplyDelete
ReplyDeleteIn love with this post.Thankyou for the valuable information.
Please do find the latest apks.
https://apkmabbu.com
https://apkmabbu.com/happy-chick-apk/
https://apkmabbu.com/blackmart-alpha-apk/
https://apkmabbu.com/dj-liker-apk/
https://apkmabbu.com/shareit-apk/
https://apkmabbu.com/tutuapp-apk/
https://apkmabbu.com/lucky-patcher-apk/
This comment has been removed by the author.
ReplyDelete
ReplyDeleteشركه عزل فوم بالدمام
شركه عزل فوم بالقطيف
شركه عزل فوم بالاحساء
شركه عزل فوم بالجبيل
Mobile app development company in mumbai
ReplyDeletehttp://www.m6mobilityxchange.com/three-prime-cell-video-games/
ReplyDeletehttp://www.fortheloveoflabradors.com/prime-android-apps/
http://www.lindacarlsonquilts.com/prime-5-free-humorous-android-video-games/
http://skupauttrojmiasto.com/high-android-apps-you-cant-ignore/
http://www.bayerntours.com/high-two-sport-apps-on-ios-and-android-utilizing-crossbows/
ReplyDeleteExcellent Blog! I would like to thank for the efforts you have made in writing this post. I am hoping the same best work from you in the future as well.
I wanted to thank you for this websites! Thanks for sharing. Great websites!
pubg apk pubg mobile apk
pubg lite
pubg mobile lite
pubg
Appslure is a high rated Mobile Game development company in Delhi. We are no 1 company for IOS & Android games.
ReplyDeleteGame Development company in Delhi
Appslure is a mobile Application Development Company in Gurgaon. Our app developers team are expert in iOS, Android, iPhone
ReplyDeleteMobile app development company in gurgaon
app development company in delhi
ReplyDeleteAppslure is an award-winning mobile app development company building feature-packed and interactive mobile applications for startups, medium and large enterprises.
ReplyDeleteYour post is good. Thank you for sharing! Mobile App Development Company
ReplyDeleteführerschein kaufen
ReplyDeletecomprare patente
comprar carta de conduçao
Rijbewijs kopen
kupiti vozacka dozvola
comprare patente
ADR Schein kaufen
ReplyDeleteacheter son permis moto
kupiti vozacka dozvola
comprare patente
comprare patente
Rijbewijs kopen
comprar carta de carro
führerschein kaufen