I was doing a routine security audit on a pre production SQL Server and noticed cross db ownershjp turned on for the instance. The application was designed with a cross db ownership requirement.
My general approach to cross db ownership and security in general , is to grant only what is necessary. Systems evolve, configurations change, security hole appear. This security approach , often comes into conflict with business and programming requirements , who want everything now!
Questions I ask the owners about Cross db ownership:
1) Is SQL Server Instance cross db ownership required at the instance level or database level?
2) Will all the databases in the instance participate in the cross db ownership? If not , then change cross db ownership to the database level.
3) Can the owner produce a document , detailing the application requirement fro cross db ownership? Rather than blindly granting cross db ownership on all the databases in an instance- have the application owner detail the requirement.
4) Are you completing regular SQL Server security audits?
--queries to check if cross db ownership is on SELECT value_in_use FROM sys.configurations WHERE name='cross db ownership chaining' EXEC sp_configure 'Cross DB Ownership Chaining'