I'm advising a friend who manages a SQL 2k5 box that has several users who have dbo access to multiple databases. The problem is:
- These users haven't had their passwords changed for some months,
- These users put their IDs into applications and the applications run as DBO.
So - aside from the obvious dbo rights to add/update/delete tables and procs, what dangers can I cite for a malicious user having dbo to a SQL 2005 database?
I'd like to provide specific scenarios that pose harm to the database and other users. Could a dbo change file allocations on the server? Could a DBO affect other resources not directly connected to that database?