tags:

views:

310

answers:

3
+2  Q: 

DBO rights risk

I'm advising a friend who manages a SQL 2k5 box that has several users who have dbo access to multiple databases. The problem is:

  1. These users haven't had their passwords changed for some months,
  2. These users put their IDs into applications and the applications run as DBO.

So - aside from the obvious dbo rights to add/update/delete tables and procs, what dangers can I cite for a malicious user having dbo to a SQL 2005 database?

I'd like to provide specific scenarios that pose harm to the database and other users. Could a dbo change file allocations on the server? Could a DBO affect other resources not directly connected to that database?

+2  A: 

yes. dbo has rights to do whatever it wants on the database. even run xp_cmdshell. and once you can run xp_cmdshell you can do pretty much anything on the system. this is all possible provided dbo has sysadmin rights which by default it has.

Mladen Prajdic
A: 

Is there an alternative to DBO that will let someone CRUD on tables and procs?

Caveatrob
A: 

As a clarification, this was SQL Server 2005, and by default xp_cmdShell wasn't authorized for DBO users. I'm still wondering if there are risks beyond the obvious CRUD. What can someone do with DBO?

Caveatrob