DBO权利风险 [英] DBO rights risk
问题描述
我建议一个朋友管理一个SQL 2k5框,该框具有多个可以对多个数据库进行dbo访问的用户.问题是:
I'm advising a friend who manages a SQL 2k5 box that has several users who have dbo access to multiple databases. The problem is:
- 这些用户几个月来都没有更改过密码,
- 这些用户将其ID放入应用程序中,并且这些应用程序作为DBO运行.
那么-除了明显的dbo添加/更新/删除表和proc的权利外,对于拥有dbo的SQL 2005数据库的恶意用户,我还能列举哪些危险?
So - aside from the obvious dbo rights to add/update/delete tables and procs, what dangers can I cite for a malicious user having dbo to a SQL 2005 database?
我想提供对数据库和其他用户造成危害的特定方案. dbo可以更改服务器上的文件分配吗? DBO会影响未直接连接到该数据库的其他资源吗?
I'd like to provide specific scenarios that pose harm to the database and other users. Could a dbo change file allocations on the server? Could a DBO affect other resources not directly connected to that database?
为澄清起见,这是SQL Server 2005,默认情况下,xp_cmdShell未获得DBO用户的授权.我仍然想知道,除了明显的CRUD之外,是否还有其他风险.有人可以用DBO做什么?
As a clarification, this was SQL Server 2005, and by default xp_cmdShell wasn't authorized for DBO users. I'm still wondering if there are risks beyond the obvious CRUD. What can someone do with DBO?
推荐答案
是. dbo有权在数据库上执行任何操作.甚至运行xp_cmdshell.并且一旦您可以运行xp_cmdshell,就可以在系统上执行几乎所有操作. 只要dbo拥有sysadmin权限(默认情况下具有sysadmin权限),这一切就可以实现.
yes. dbo has rights to do whatever it wants on the database. even run xp_cmdshell. and once you can run xp_cmdshell you can do pretty much anything on the system. this is all possible provided dbo has sysadmin rights which by default it has.
这篇关于DBO权利风险的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
