Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
stevenbarker4
Starting Member
7 Posts |
 Posted - 2005-12-01 : 05:46:32
|
| HiI have a client who is claiming that the following is possible with SQL Server, but I can't recreate it myself. Is this security hole non existent or could it exist under certian network conditions?Your opinions on this would be much appreciated!1. A Domain exists called, for example Organisation2. A Domain user exists, for example called Organisation\Steven.Barker This user can access the database using sql server authenticationFollowing this…3. A machine can be connected to the network that has a computer name of Organisation and a local user has been created called Steven.Barker (thereby generating the login details that are equal to Organisation\Steven.Barker) 4. This illegitimate login can access the database impersonating the Domain user Organisation\Steven.Barker. |
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2005-12-01 : 08:36:44
|
Makes sence to me. I don't know about the machine name being the same as the domain but here is something that has always been in place:Domain user: domain\stevebaker ~ password: testLocal user on server: svr01\stevebaker ~ password: testAssign local admin rights to svr01\stevebaker on svr01With this setup the domain user would be a local admin on svr01 even without having his domain account on that machine. He would not be a domain admin though. Windows will authenticate the domain user as the local machine user as long as the username and password are identical.I have never done any testing in the exact scenerio that you've punched up but going based on what I just said, it makes perfect sence that they would have rights in SQL Server as long as the scenerio plays out under the rules I just stated.Have fun,Daniel, MCP, A+SQL Server DBAwww.dallasteam.com*Edit: I'm not sure that you can have a workstation named the same as the domain. Maybe someone else can comment on that. I'm definitely not an NT Admin by any means.  |
 |
|
|
stevenbarker4
Starting Member
7 Posts |
Posted - 2005-12-01 : 09:45:42
|
| Thanks for the response I'll see if I can impersonate someone like this when the two accounts have the same password!In my example the workstation isn't attached to the domain but does have a network cable attached so it can communicate over the network.If it were attached to the domain it wouldn't be able to have the same name as the domain. |
|
|
|
bakerjon
Posting Yak Master
145 Posts |
Posted - 2005-12-01 : 10:56:47
|
| I don't think that would work. SQL Server stores the SID from the domain for the user, not just the user name. When the user authenticates, it must provide the proper SID as it's auth token. I believe this is true for groups as well. Dan, I think the hole you describe was fixed in Win2k3 SP1, but I could be wrong on that. Seems as though I bumped up against that recently.Others have a viewpoint on this?Jon-Like a kidney stone, this too shall pass.http://www.sqljunkies.com/weblog/outerjoin |
|
|
|
stevenbarker4
Starting Member
7 Posts |
Posted - 2005-12-01 : 11:05:13
|
| I looked into this as well and began to read about SIDs generated by Windows/the active directory and it all seemed to make sense.I certainly couldn't recreate the problem myself. However it would be useful to know if there was an environment where this security vunerability occurs. |
|
|
|
SQLServerDBA_Dan
Aged Yak Warrior
752 Posts |
Posted - 2005-12-01 : 11:24:15
|
Bakerjon,Actually. You could get into SQL Server. If SVR01 is the SQL Server and you are an admin of the box then you get in via the built in admin group. I don't think that the SID comes into play there because it's actually authenticating against the local user and not the domain user. Hole? It's my understanding that this is not a hole but it's by design. I think it works perfectly fine, as long as you understand how it works. I think this was mainly intended for cross domain issues. Because I've seen this implimented in several shops where more than one domain exists. The user will have a login on MyDom1\Sbaker and the admins will setup a local user on a box that he needs access to as MyDom2\Sbaker. Why they do that? I don't know. I'm a DBA not an NT Admin.  I'd think you could just do a domain trust and then add the users from the other domain but hey maybe I'm wrong.  Daniel, MCP, A+SQL Server DBAwww.dallasteam.com |
|
|
|
|
|
|
|
|
SQL Server Authentication