Do you check for TRUSTWORTHY databases as part of your security audits?

7

December 30, 2015 by Kenneth Fisher

I ran a twitter poll the other day Do you check for databases with trustworthy turned on when you do security audits?

TRUSTWORTHY1

I wasn’t surprised (although a little disappointed) that out of the 9 people the answered only one person was, and of the rest 5 didn’t even know what TRUSTWORTHY is. I even had one person ask me later. That’s somewhat scary because under the right circumstances if you give me a database with TRUSTWORTHY turned on I can take over your instance. I’m NOT going to show you how but it isn’t terribly difficult.

So what is the TRUSTWORTHY database property? If turned on then SQL Server trusts the contents of the database. Not terribly clear if you ask me.

I haven’t been able to find a whole lot out about all of the details of it but here are a few that I do know.

  • It will allow you to impersonate server level permissions. This has some scary potential if you aren’t careful about it.
  • If you restore or attach a database this setting is automatically turned off.
  • msdb is the only database with TRUSTWORTHY automatically set on.

 
Because of the potential to use instance level security from inside of the database you need to be particularly careful when granting access to one of these databases. Like I said above, with the right access (and one or two other things) a user in a trusted database can take over the instance.

So my recommendation is that when you are doing a security audit you should include a check for TRUSTWORTHY databases (sys.databases.is_trustworthy_on = 1). For any TRUSTWORTHY database you find you want to carefully check the permissions of the database owner and those of the users of the database.

SELECT sys.server_principals.name as Owner, sys.databases.*
FROM sys.databases
LEFT OUTER JOIN sys.server_principals
	ON sys.databases.owner_sid = sys.server_principals.sid
WHERE is_trustworthy_on = 1

7 thoughts on “Do you check for TRUSTWORTHY databases as part of your security audits?

  1. alzdba says:

    Sound advice!
    Also keep in mind, you may break things when you turn it off ( e.g. Service broker ) ! So it’s not _only_ a user authority thing.

    • You are absolutely right. And msdb HAS to have trustworthy for a number of reasons. I’m just advocating being aware of which DBs have TRUSTWORTHY turned on and being particularly careful of who you give elevated rights (impersonation, db_owner etc) on those DBs.

  2. […] Kenneth Fisher asks if you check TRUSTWORTHY settings on your databases: […]

  3. Wayne West says:

    As a part of my nightly maintenance procedure, I run the following code that now incorporates your trustworthy check:

    SELECT GETDATE() AS RunTime, LEFT(db.name, 15) AS DBName, ssp.name AS Owner,
    	LEFT(db.filename, 60) AS Filename, 
    	LEFT(db.status ,6) AS Status,
    	sdb.recovery_model_desc as RecoveryModel,
    	 CASE sdb.is_trustworthy_on 
    		WHEN 1 THEN 'TRUSTWORTHY (check!)' 
    		ELSE 'not trustworthy (ok)' END AS Trustworthiness
    FROM sysdatabases db
    --where dbid > 4
    --	and status  528
    JOIN sys.databases sdb
    	ON db.dbid = sdb.database_id
    LEFT OUTER JOIN sys.server_principals ssp
    	ON db.sid = ssp.sid
    ORDER BY sdb.name;

    It shows me if a database suddenly appears somewhere other than where it should be, the recovery model, and trustworthiness. I also look at the status code as it should be either 65536 or 65544 for my environment: any other value and I know that I need to look at it.

    I know sysdatabases is deprecated and will eventually be removed, I haven’t taken the time yet to rewrite the code for the more current sources.

    Thanks for the post! Very important information to keep track of!

  4. Susan says:

    Thanks for sharing this tip. I should run some checkup on our database if there’s some security issues. Its been two months since the last time check up.

    • Yea, with all the hype about recovery planning (don’t get me wrong, super, super important) people tend to forget that you have to do security checkups every now and again too 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 2,148 other followers

Follow me on Twitter

ToadWorld Pro of the Month November 2013
%d bloggers like this: