locked
sysadmin - what can they do RRS feed

  • Question

  • We recently had a security audit done and one of the issues they found was on a mixed mode MSSQL 2005 instance a SQL account with sysadmin privileges had a weak corresponding password. I am not a DBA or Network tech myself but I could do with some management friendly low tech explanation of if someone exploiting that weakness and gained sysadmin access to the
    SQL database – what malicious actions could they then do? What's the overall risk? Rather than just saying "they have admin access", it would help me give it some sort of management friendly risk
    perspective if you could elaborate on some potential acts they could do if they had malicious intentions (which is likely if they've hacked in in the first place).

    Thursday, June 6, 2013 12:33 PM

Answers

  • Hello,

    A member of the SysAdmin role can do absolute everything on SQL Server, there are no restrictions for it

    - Changing password
    - Delete users
    - Delete complete databases

    really everything.


    Olaf Helper

    Blog Xing

    • Proposed as answer by Alberto MorilloMVP Thursday, June 6, 2013 6:35 PM
    • Marked as answer by cf090 Friday, June 7, 2013 8:19 AM
    Thursday, June 6, 2013 12:44 PM
  • Take a look at the concept of Server Level Roles within SQL Server found here:

    http://msdn.microsoft.com/en-us/library/ms188659.aspx

    "Members of the sysadmin fixed server role can perform any activity in the server."

    From a malicious perspective, they can access all data (ex: any PII / SSNs / account info, etc.), create their own copy of the database, set up any logging to monitor any traffic, lock out other users, delete the entire database, and many other tasks.

    They are the super user and it is well worth creating a strong password for these accounts.

    Thanks,
    Sam Lester (MSFT)


    http://blogs.msdn.com/b/samlester

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" and "Vote as Helpful" on posts that help you. This can be beneficial to other community members reading the thread.

    Thursday, June 6, 2013 12:46 PM

All replies

  • Hello,

    A member of the SysAdmin role can do absolute everything on SQL Server, there are no restrictions for it

    - Changing password
    - Delete users
    - Delete complete databases

    really everything.


    Olaf Helper

    Blog Xing

    • Proposed as answer by Alberto MorilloMVP Thursday, June 6, 2013 6:35 PM
    • Marked as answer by cf090 Friday, June 7, 2013 8:19 AM
    Thursday, June 6, 2013 12:44 PM
  • Take a look at the concept of Server Level Roles within SQL Server found here:

    http://msdn.microsoft.com/en-us/library/ms188659.aspx

    "Members of the sysadmin fixed server role can perform any activity in the server."

    From a malicious perspective, they can access all data (ex: any PII / SSNs / account info, etc.), create their own copy of the database, set up any logging to monitor any traffic, lock out other users, delete the entire database, and many other tasks.

    They are the super user and it is well worth creating a strong password for these accounts.

    Thanks,
    Sam Lester (MSFT)


    http://blogs.msdn.com/b/samlester

    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" and "Vote as Helpful" on posts that help you. This can be beneficial to other community members reading the thread.

    Thursday, June 6, 2013 12:46 PM
  • This could also be even worse than what has already been mentioned, depending on the permissions of the user the SQL Server service runs as.  A sysadmin user on SQL Server could enable the use of xp_cmdshell, if it was not already enabled, and use that to execute file system commands as well - the sky is the limit.

    -Sid

    Friday, June 7, 2013 7:01 AM