(window.slotbydup=window.slotbydup || []).push({
id: '2014386',
container: s,
size: '234,60',
display: 'inlay-fix'
&&|&&0次下载&&|&&总179页&&|
您的计算机尚未安装Flash，点击安装&
阅读已结束，如需下载到电脑，请使用积分（）
下载：60积分
0人评价392页
0人评价40页
0人评价39页
1人评价96页
1人评价238页
所需积分：（友情提示：大部分文档均可免费预览！下载之前请务必先预览阅读，以免误下载造成积分浪费！）
（多个标签用逗号分隔）
文不对题，内容与标题介绍不符
广告内容或内容过于简单
文档乱码或无法正常显示
若此文档涉嫌侵害了您的权利，请参照说明。
评价文档：
下载：60积分当前位置： >
SQL Server Security Ponderings – Part 2 | Database owner +
栏目分类：
发布日期：
浏览次数：次
导读：本文为去找网小编(www.7zhao.net)为您推荐的SQL Server Security Ponderings – Part 2 | Database owner + TRUSTWORTHY，希望对您有所帮助，谢谢！ This article is the second one of the three articles devoted to a particul
本文为去找网小编(www.7zhao.net)为您推荐的SQL Server Security Ponderings – Part 2 | Database owner + TRUSTWORTHY，希望对您有所帮助，谢谢！ 本文来自去找www.7zhao.net
This article is the second one of the three articles devoted to a particular security configuration combination of database security. 去找(www.7zhao.net欢迎您
In myprevious article, I presented a scenario in which we were able to compromise data in a SQL Server database.
www.7zhao.net
I would like to note that the knowledge of this configuration combination is critical. In this article, I am going to provide further information and reasons for the importance of this issue.
欢迎访问www.7zhao.net
Let’s check the background details starting with the well-known problem: database ownership. 本文来自去找www.7zhao.net
What login details should the owner of your database(s) use? A lot of people say that SA is an appropriate choice. www.7zhao.net
I did a quick Google search and found the following answers: 去找(www.7zhao.net欢迎您
“I don’t remember this being a concern for me ever. Other than looking annoying in reports, or being unable to remove the user if they own a database, but I don’t think it affects server operations. You can just pick sa for consistency.” 欢迎访问www.7zhao.net
“I don’t think to own a database by SA or any other user should be of any concern. What matters is who is performing ‘what’ in your database. So, it is a good idea to create users with valid privileges. For simplicity, you can specify the owner as SA.” 内容来自www.7zhao.net
I found a blog, which even states that it is the best practice (I intentionally crossed out the parts I don’t agree with): 去找(www.7zhao.net欢迎您
“According to the SQL Server security best practice document, we should grant login details with the least amount of privileges. Therefore, it
is recommended
to set a built-in sa account as an owner of all databases on the SQL Server instance.
This will make database and server more secure
欢迎访问www.7zhao.net
This blog post is interesting because I have checked the “SQL Server security best practice document” and it is saying: copyright www.7zhao.net
“Best practices for database ownership and trust
If you are an ISP, then you have distinct
not all databases should be owned by
Well, the documentation explicitly refers to ISP scenarios, I admit it, but still, I have not found any statement in the documentation, that picking SA for being a database owner would be the best practice or even fair one. 欢迎访问www.7zhao.net
The widely known free script sp_Blitz also puts every database in its result set with priority 200, where SA is not the owner (Database Owner && SA) and by doing this I have a feeling that the script encourages people with less technical skills, such as accidental DBAs to stick to this practice. If you check the related finding link, it says: 内容来自www.7zhao.net
Most shops end up using SA as the owner because it’s the easiest way to avoid ownership problems when the owner name no longer exists. This is not best practice – but there’s no short answer for best practice. 去找(www.7zhao.net欢迎您
Ok so, it is for sure that this is NOT the best practice! I would like to join
(sp_Blitz page also refers to this page in the ‘To Fix the Problem Long Term’ section) and emphasizes that using the SA account as a database owner is the WORST practice actually and personally I think this should be highlighted on every blog and in every documentation, related to this topic.
www.7zhao.net
I know that if the users would be created with only valid privileges that would be enough, but unfortunately, this is not how things usually work and in the case of security questions there are no ‘IFs’. I mean in a good way of thinking. You need to be prepared for the ‘possible worst’ scenarios. copyright www.7zhao.net
Just think, what we could do in our example if the default database owner were the SA! 去找(www.7zhao.net欢迎您
Let’s go on with the second option, the TRUSTWORTHY database option. Fortunately, the situation is a bit better in the case of this one, but still, has a common problem with its handling. 去找(www.7zhao.net欢迎您
Everybody knows that the best practice here is as follows: Set the ‘Trustworthy’ Database Property to Off. copyright www.7zhao.net
We have just seen why this option is “bad”, but this is not everything. Here is why I am still concerned about this option. 欢迎访问www.7zhao.net
If you try to find some scripts, which check this property, you will probably find a script similar to this one: 本文来自去找www.7zhao.net
SELECT name FROM sys.databases WHERE is_trustworthy_on = 1 AND name != 'msdb'
copyright www.7zhao.net
sp_Blitz has a check as well, which checks the default settings of the databases (including TRUSTWORTHY as a default value of 0) and reports every database, which has non-default settings, but the script skips the system databases. 本文来自去找www.7zhao.net
Furthermore, there is a MS KB article, which focuses on this topic. 内容来自www.7zhao.net
Refer to these guidelines for using the TRUSTWORTHY database settings in SQL Server:
内容来自www.7zhao.net
There is a code sample in the article, which lists the databases that have the TRUSTWORTHY bit ON and whose database owner belongs to the sysadmin server role: copyright www.7zhao.net
SELECT SUSER_SNAME(owner_sid) AS DBOWNER, d.name AS DATABASENAME
FROM sys.server_principals r
INNER JOIN sys.server_role_members m ON r.principal_id = m.role_principal_id
INNER JOIN sys.server_principals p ON
p.principal_id = m.member_principal_id
inner join sys.databases d on suser_sname(d.owner_sid) = p.name
WHERE is_trustworthy_on = 1 AND d.name NOT IN ('MSDB') and r.type = 'R' and r.name = N'sysadmin'
www.7zhao.net
What is common in these scripts? Each script excludes the MSDB, but as the MS KB article notes, and you have just seen it in our “mission”: 欢迎访问www.7zhao.net
By default, the TRUSTWORTHY setting is set to ON for the MSDB database
. Altering this setting from its default value can result in unexpected behavior by SQL Server components that use the MSDB database.
本文来自去找www.7zhao.net
I would like to emphasize that the main focus of this article is neither the TRUSTWORTHY database option nor the database owner property itself, but the combination of these two options. I have mostly concentrated on MSDB due to the fact that
the TRUSTWORTHY setting is set to ON for the MSDB database by default.
copyright www.7zhao.net
That’s all for now. We went through and checked two important database options, the owner of the database and the TRUSTWORTHY database setting. I just wanted to put a spotlight on these options since – as you saw – they are very critical options, especially when we talk about the combination of these two options. copyright www.7zhao.net
I hope you have enjoyed the article. In my further publications, I will provide comprehensive scripts that help you to identify the possible risks in your SQL Servers: users that could take advantages of these options, and databases that could be a target or a source of such an attack. www.7zhao.net
www.7zhao.net
本文原文地址：
以上为SQL Server Security Ponderings – Part 2 | Database owner + TRUSTWORTHY文章的全部内容，若您也有好的文章，欢迎与我们分享！
本文来自去找www.7zhao.net
声明：本站发布的资源均来自互联网，仅供交流学习之用，请勿作商业用途，所有资源版权归原作者所有。如果有侵犯到您的权益，请联系本站删除，谢谢合作！
Copyright &去找网版权所有
皖ICP备号-2今天用VMWare的时候误操作了，登录Windows 2003 Server的时候需要按Ctrl+Alt+Delete，然后不小心点到哪里(自己也没看清!!)，造成虚拟机死锁，运行虚拟机出现下图：点击Take Ownership后，出现下图：google搜了下该故障，原来是系统Crash造成的虚拟机死锁：When I clicked on the lock button (which had replaced VMWare Fusion’s normal “play” button), I got an error message indicating “The virtual machine appears to be in use”:Seeing as how I was not using the VM (…at least to the best of my knowledge), I clicked on “Take Ownership”, and got an error message that said “Taking ownership of this virtual machine failed”:What to do? I started googling for the error messages to see if I could find a resource or VMWare support document that described how to troubleshoot them, but to my surprise it took me awhile and some digging to find something. Luckily, which in essence recommended removing VMWare’s lock files on the virtual machine.其实，每次启动虚拟机，都会自动产生一个.LCK的文件夹，从其中的Mxxxxx.lck文件的创建时间就可以发现，就是该虚拟机启动的那一刻把虚拟机中的所有的.lck文件夹删除后，重新双击VMX文件运行虚拟机即可，问题解决
无相关信息
最新教程周点击榜
微信扫一扫