October 6, 2022 by Kenneth Fisher
What you have access to is not just what you have direct permissions to. The other day I needed to copy some backups from one location to another. Unfortunately my network id doesn’t have access to either location. Guess what does though. The service account running the SQL Server instance where the backups were taken. Now, since I’m a sysadmin on that instance when I use xp_cmdshell it uses that service account. I don’t have to know the password or log in as the service account, xp_cmdshell will do it for me.
EXEC xp_cmdshell 'COPY "\\path for backup\DBName.bak" "\\path I need to go to\"';
I have access to not just my permissions but the permissions of every account I can impersonate in any way.
This is a very important mindset to get into. For two reasons. First because it can help you perform tasks that would be difficult otherwise. But even more important. This applies to everyone. When you are handling security you need to be aware that permissions granted are not the only permissions someone has. Every password someone holds multiplies their access. Every account someone can impersonate multiplies their access. And this is a chain. If I can remote using an account other than mine then every account that account has access to is also mine.
I do want to point out that this isn’t necessarily a problem. I have access to those service accounts and that’s ok. That’s part of the permission set I’m supposed to have. The same with credentials etc. This is all about having an awareness of what people can do not about keeping them from doing what they are supposed to be able to do.