Summit video library
Watch Out for Permission Hijacking!
Erland Sommarskog
You’re a DBA and SysAdmin on a server. On this server, there are application admins who are db_owner in their databases, but may want to perform actions outside of that database – maybe become a SysAdmin, maybe steal or modify the data, or maybe something else.
Are you aware that they could hijack your permissions and lure you to run commands to their advantage? Maybe you decided to keep the application team out from the production server, but what if they’re able to hijack your permissions to gain access?
It’s not only the SysAdmin who can be a target for hijacking attacks, but a developer in a database may strive to get full access in the database by hijacking the permissions of db_owner.
In this session, you will learn about permission hijacking, how such attacks can be performed, and how you can defend yourself against them. You will also learn why you should never add users directly to the db_ddladmin role, but instead use a custom role that is a member of db_ddladmin with one extra tweak.
Get the Latest
Sign up to stay up to date with news, special announcements and educational content.
Redgate will only contact you about PASS Data Community Summit (in line with our Privacy Policy) unless you separately request emails about Redgate. You can unsubscribe from these updates at any time.
Thanks for submitting! We'll be in touch soon.