Monday 27 July 2009

Issue #5 Incorrect Permissions

This is a very common problem and usually comes about due to a lack of knowledge of how to secure an application or perhaps because the developer is afraid of what will break if they apply the correct permissions. Usually when we develop, we are administrators on our own machines and probably system administrators on the SQL Server machine as well.

Additionally it may come down to some components requiring elevated privileges to work. This can happen for example if you want to do Excel automation from an ASP.NET application.

Windows programmers can require Administrator rights as well, to access certain hives in the Windows registry. Even Visual Studio requires admin rights so that you can develop otherwise you cannot debug certain application types.

If you use too loose permissions on your database you can leave yourself wide open to the more severe side of SQL injection attacks.

You should use the lowest level permissions you can get away with for your application. It is better to add permissions than take away so start with a highly restricted account and add only the permission you need to ensure the correct working of your application.

Ideally you should look at specific accounts for your applications to allow separation of roles for applications.

No comments: