Re: Microsoft Security Bulletin - MS02-020

["Chip Andrews" <chip () sqlsecurity com>]

Good find.  We found similar excesses this year at Black Hat 2K in Vegas
regarding the SE_TCB_NAME and SE_ASSIGNPRIMARYTOKEN_NAME user rights
assigned to the SQL Server service account.  However, I believe the
appropriate response is to provide a work-around , inform the community, and
inform Microsoft so that they can provide a long-term solution.  Statements
like "securing SQL server by means of using least privileged account for the
service is simply ineffective" could be counter-productive if someone reads
that and then simply gives up and goes LocalSystem.  Least-privilege should
always be the standard - don't avoid it just because MS made an error in
executing good design.  Also keep in mind that the sysadmin-level intruder
can totally tank SQL Server by tweaking other keys and we must conceed that
once someone is a sysadmin, SQL Server (and more importantly all of its
data) is toast - no argument there.

Thanks for the information.  It should definitely end up in our hardening
scripts.  One potential work-around I have tested is to simply load regedt32
and assign the service account read-only access to the registry key.
 Voila - your script fails ('Access is Denied' on xp_regwrite).  You can't
change it later unless you go back in and reset the key permissions but this
shouldn't be a problem unless you rotate service accounts frequently.

The next thing we need to do is audit every single ACL, user right, and
other changes that occurs when service accounts are assigned and see what
other problems are lurking...

Thanks again Bronek for an excellent discovery.

Chip Andrews
http://www.sqlsecurity.com


----- Original Message -----
From: "Bronek Kozicki" <brok () rubikon pl>
To: <focus-ms () securityfocus com>; <bugtraq () securityfocus com>
Sent: Thursday, April 18, 2002 4:35 AM
Subject: Re: Microsoft Security Bulletin - MS02-020


> above is UNTRUE. SQL Server 2000 _can_ run under non-administrator
account,
> however it requires full access to registry key:
> HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSSQLServer
> as explicitly stated in "Setting Up a Secure SQL Server 2000 Installation"
http://www.microsoft.com/technet/prodtechnol/sql/maintain/security/sql2ksec.
asp
> Having this access level, SQL server process is able to modify
"ObjectName"
> value in the registry. This is enough to re-configure service to run as
> LocalSystem. Hence, attacker able to run code under SQL Server account is
able
> to re-configure service to run under highest possible local privileges,
> even is SQL Server is running as regular user. For this reason, securing
> SQL server by means of using least privileged account for the service is
> simply ineffective - opposite to what Microsoft says in above referenced
> article, and in MS02-020.