Cross db ownership chaining and security holes

29 April,2013 by Jack Vamvas

I was doing a routine security audit on a pre production SQL Server and noticed cross db ownershjp turned on for the instance.  The application was designed with a cross db ownership requirement.

My general approach to cross db ownership and security in general , is to grant only what is necessary. Systems evolve, configurations change, security hole appear. This security approach , often comes into conflict with business and programming requirements , who want everything now!

Questions I ask the owners about Cross db ownership:

1)       Is SQL Server Instance cross db ownership required at the instance level or database level?

2)       Will all the databases in the instance participate in the cross db ownership? If not , then change cross db ownership to the database level.

3)       Can the owner produce a document , detailing the application requirement fro cross db ownership? Rather than blindly granting cross db ownership on all the databases in an instance- have the application owner detail the requirement.

4)       Are you completing regular SQL Server  security audits?

 

--queries to check if cross db ownership is on
SELECT value_in_use FROM sys.configurations 
WHERE name='cross db ownership chaining' 


EXEC sp_configure 'Cross DB Ownership Chaining'

 Read More

 

How to create a SQL Server Security Audit - SQL Server DBA

Powershell sql server security audit - SQL Server DBA

Find who made a database security change - SQL Server DBA

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Cross db ownership chaining and security holes


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer