What you can do is based on more than your direct permissions.


October 6, 2022 by Kenneth Fisher

What you have access to is not just what you have direct permissions to. The other day I needed to copy some backups from one location to another. Unfortunately my network id doesn’t have access to either location. Guess what does though. The service account running the SQL Server instance where the backups were taken. Now, since I’m a sysadmin on that instance when I use xp_cmdshell it uses that service account. I don’t have to know the password or log in as the service account, xp_cmdshell will do it for me.

EXEC xp_cmdshell 'COPY "\\path for backup\DBName.bak" "\\path I need to go to\"';

I have access to not just my permissions but the permissions of every account I can impersonate in any way.

This is a very important mindset to get into. For two reasons. First because it can help you perform tasks that would be difficult otherwise. But even more important. This applies to everyone. When you are handling security you need to be aware that permissions granted are not the only permissions someone has. Every password someone holds multiplies their access. Every account someone can impersonate multiplies their access. And this is a chain. If I can remote using an account other than mine then every account that account has access to is also mine.

I do want to point out that this isn’t necessarily a problem. I have access to those service accounts and that’s ok. That’s part of the permission set I’m supposed to have. The same with credentials etc. This is all about having an awareness of what people can do not about keeping them from doing what they are supposed to be able to do.

One thought on “What you can do is based on more than your direct permissions.

  1. […] Kenneth Fisher has access to many permissions: […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,755 other subscribers

Follow me on Twitter

ToadWorld Pro of the Month November 2013
%d bloggers like this: