View Single Post
  #2 (permalink)  
Old 4th September, 2009, 10:19 AM
Aedan Aedan is offline
Chief Systems Administrator
Join Date: September 2001
Location: Europe
Posts: 13,075

This seems to be a non-issue to me really. Let me explain why, for those who are interested.

Point one.
MS SQL server supports two types of authentication. One type of authentication is against the Active Directory, which is a centralised authentication system. The other type of authentication is against a local database held inside the SQL server.

Active Directory (AD) provides a central single point of control. If you need to change the password for a database user that's used on 12 servers, you simply change it once on AD.

Under the local database method, you'd have to change the password on each individual server - that's 12 servers you'd have to make sure you got.

Thus good security practice is to only use authentication against Active Directory (known as Windows Authentication), because it simplifies the management of user accounts. This "vulnerability" doesn't affect authentication via Active Directory. So, if you're already following good security practice, this issue will never affect you.

Second point...
The vulnerability mixes up administrative access. A database administrator can administer a database, but would not be a system administrator. Thus, the database administrator would not have access to read/write memory.

A system administrator may have access to read/write memory, if they have been granted permission to do so (which is the case by default). However, someone in such a position would also be in a position to change your password, do the naughty deed, and then change it back without you knowing.

If you cannot trust your system administrators, then all bets are off. However, sensible organisations also have a mechanism for auditing what occurs. So, if an administrator does bad things, the fact that they have done so is recorded. That in it's own right is a strong deterrent.

Last edited by Áedán; 4th September, 2009 at 10:21 AM.
Reply With Quote