How comes that login with no rights cam give himself db_creator?












0















I just created a new login using the GUI, which generates this script:



USE [master]

GO

CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],

CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF

GO

use [master]

GO

GRANT CREATE ANY DATABASE TO [tester]

GO


This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.



How is this even possible and how can I prevent it?






sql-server sql-server-2008-r2 security







share|improve this question














bumped to the homepage by Community 16 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.




















    0















    I just created a new login using the GUI, which generates this script:



    USE [master]
    
GO
    
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
    
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
    
GO
    
use [master]
    
GO
    
GRANT CREATE ANY DATABASE TO [tester]
    
GO


    This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.



    How is this even possible and how can I prevent it?






    sql-server sql-server-2008-r2 security







    share|improve this question














    bumped to the homepage by Community 16 mins ago


    This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.


















      0












      0








      0








      I just created a new login using the GUI, which generates this script:



      USE [master]
      
GO
      
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
      
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
      
GO
      
use [master]
      
GO
      
GRANT CREATE ANY DATABASE TO [tester]
      
GO


      This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.



      How is this even possible and how can I prevent it?






      sql-server sql-server-2008-r2 security







      share|improve this question














      I just created a new login using the GUI, which generates this script:



      USE [master]
      
GO
      
CREATE LOGIN [tester] WITH PASSWORD=N'tester', DEFAULT_DATABASE=[master],
      
CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF
      
GO
      
use [master]
      
GO
      
GRANT CREATE ANY DATABASE TO [tester]
      
GO


      This login was granted to a person who wanted to make a new database. I didn't want to give him db_creator rights, so I used the code above. However, after he installed his application (in which the cration of a database is included), I check the login again, and now it has the db_creator server role! Somehow he has granted this to himself, and theoretically he could delete my databases now! I've tested this 3 times to make sure what this is indeed what is happening. I've made a trigger to prevent the deletion of databases, which he can't access, but I'm still worried.



      How is this even possible and how can I prevent it?






      sql-server sql-server-2008-r2 security




      sql-server sql-server-2008-r2 security






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 6 '15 at 13:13









      user1261104user1261104

      215137




      215137





      bumped to the homepage by Community 16 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







      bumped to the homepage by Community 16 mins ago


      This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
























          1 Answer
          1






          active

          oldest

          votes


















          0














          By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.






          share|improve this answer
























          • The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

            – user1261104
            Mar 16 '15 at 9:26











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "182"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














          draft saved

          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f94586%2fhow-comes-that-login-with-no-rights-cam-give-himself-db-creator%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          0














          By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.






          share|improve this answer
























          • The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

            – user1261104
            Mar 16 '15 at 9:26
















          0














          By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.






          share|improve this answer
























          • The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

            – user1261104
            Mar 16 '15 at 9:26














          0












          0








          0







          By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.






          share|improve this answer













          By using the listed script, the user cannot give himself server level create db rights. My next step would look to see if it's possible someone else with sysadmin or high-level permissions did that for him because they misunderstood permissions.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Mar 9 '15 at 21:45









          HMan06HMan06

          285




          285













          • The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

            – user1261104
            Mar 16 '15 at 9:26



















          • The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

            – user1261104
            Mar 16 '15 at 9:26

















          The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

          – user1261104
          Mar 16 '15 at 9:26





          The person and I were the only one working on the database. As I didn't give him the permissions, there would seem no other option than him doing it...

          – user1261104
          Mar 16 '15 at 9:26


















          draft saved

          draft discarded




















































          Thanks for contributing an answer to Database Administrators Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid



          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.


          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fdba.stackexchange.com%2fquestions%2f94586%2fhow-comes-that-login-with-no-rights-cam-give-himself-db-creator%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -

          Popular posts from this blog

          Liste der Baudenkmale in Friedland (Mecklenburg)

          Image
          In der Liste der Baudenkmale in Friedland sind alle denkmalgeschützten Bauten der Stadt Friedland (Mecklenburg-Vorpommern) und ihrer Ortsteile aufgelistet. Grundlage ist die Veröffentlichung der Denkmalliste des Landkreises Mecklenburgische Seenplatte (Auszug) vom 28. September 2016. Inhaltsverzeichnis 1 Baudenkmale nach Ortsteilen 1.1 Friedland 1.2 Bresewitz 1.3 Brohm 1.4 Cosa 1.5 Dishley 1.6 Dishley-Ausbau 1.7 Eichhorst 1.8 Glienke 1.9 Heinrichshöh 1.10 Heinrichswalde 1.11 Jatzke 1.12 Jatzke-Meierei 1.13 Liepen 1.14 Ramelow 1.15 Schwanbeck 2 Vorgesehener Denkmalbereich 3 Quelle 4 Weblinks Baudenkmale nach Ortsteilen | Friedland | ID Lage Bezeichnung Beschreibung Bild 281 An der Kleinbahn 2 Windmühle mit Umgang 282 Anklamer Straße alter Friedhof mit Portalwand 282 Anklamer Straße drei Erbbegräbnissen und Gräbern u. a. H.A. Riemann 284
          Read more

          Single-Malt-Whisky

          Image
          Fünf verschiedene schottische Single-Malt-Whiskys Als Single-Malt-Whisky oder kürzer Single Malt werden Whiskys bezeichnet, die zwei besondere Bedingungen erfüllen: Sie stammen zum ersten aus einer einzigen Brennerei, sind also kein Verschnitt aus mehreren Whiskysorten (daher Single , deutsch: einzeln). Zum zweiten wird als Getreide ausschließlich gemälzte Gerste verwendet (deswegen Malt , deutsch: Malz). Der Zusatz Single Malt wird als Prädikat verstanden, die so ausgezeichneten Whiskys sind in aller Regel besonders hochwertig. Hinzu kommt ihre besonders lange Lagerung, die Reifungszeit währt oft ein Jahrzehnt und länger. Inhaltsverzeichnis 1 Allgemeines 2 Herkunftsländer 2.1 Schottland 2.2 Irland 2.3 Japan 2.4 Kontinentaleuropa 3 Produktionsschritte 3.1 Mälzen 3.2 Brauen 3.3 Brennen 3.4 Reifung und Finish 3.5 Abfüllung 4 Altersangaben 5 Lagerung von Whiskyflaschen 6 Geschmacksklassifikation 7 Sonstig
          Read more

          Czorneboh

          Image
          Dieser Artikel erläutert den Berg Czorneboh, für die Gottheit siehe Czorneboh (Gottheit). Czorneboh Čornobóh Berggasthof mit Turm Höhe 555,7  m ü. NHN [1] Lage Freistaat Sachsen, Deutschland Gebirge Lausitzer Bergland Dominanz 15,4 km →  Kottmar Koordinaten 51° 7′ 11″  N , 14° 31′ 31″  O 51.119722222222 14.525194444444 555.7 Koordinaten: 51° 7′ 11″  N , 14° 31′ 31″  O Gestein Granodiorit Besonderheiten Aussichtsturm Czorneboh Der Czorneboh , obersorbisch Čornobóh , ist ein Berg zwischen Hochkirch und Cunewalde in der Oberlausitz. Er gehört zu der südöstlich von Bautzen gelegenen Czorneboh-Bergkette und ist mit einer Höhe von 555,7  m ü. NHN [1] der höchste Punkt dieses Ausläufers des Lausitzer Berglandes. Er leitet als Landschaftselement die wellige Granitlandschaft der Lausitzer Vorbergzone ein. Der Gipfel des Czorneboh liegt in der Gemarkung Meschwitz (Gemeinde Hochkirch), die Czornebohbaude jedoch
          Read more