I was sitting at my desk, happily minding my own business when an alert came through that a database backup had failed. Ok, backups fail, I just figured one of the transaction log backups hiccupped (we’ve been having some problems the last few days).
When I looked at the failure it was a backup trying to write to the C drive on the server.
I NEVER backup to C. It can easily fill the drive and take down the system.
A bigger indicator that something was up was that all of our backups are done across a 10Gb network to a centralized location for ease of tape backup. This indicated that someone, not a DBA, had the access to run a SQL backup.
I trawled through the permissions on the server and nobody has that level of access so I couldn’t figure out who had done this and how.
So What Happened?
Looking through the SQL logs I saw multiple attempts by a contractor to login to SQL, all of which failed, then about 5 minutes after the backup error came through. Interesting stuff, so I walked over to the contractor and asked what was going on.
After he was unable to login he went to the application admin who helped him out with access…using the application service account.
One of the third party applications from Microsoft some unnamed vendor has a database on that server. Due to the nature of the well designed code the database owner has to be the same as the service account of the application. The application admin knows this password (not my doing).
After logging this contractor in as the application service account the app admin walked away and left him to his own devices. As a result this contractor was dbo on a database which manages security for the entire company. We should just consider ourselves lucky all this guy did was attempt to perform a backup.
In order to try and prevent this kind of thing in the future I am looking at implementing a login trigger for the service account which checks the host and application connecting and denying access to anything not in a specifically approved list. There is also a conversation going on to possibly disable interactive logons for the service account using a group policy at the domain level.
It is a Matter of Trust
While the application admin is obviously at serious fault here it leads to a question of how well do you trust your admin team?
Domain admins will be able to access your SQL Servers (get over it, there is no way you can keep them out, if they really want in there are numerous ways for them to do so).
Anyone with a password could share that with someone else and allow them to access your servers.
Ultimately you have to trust those that you work with to do the right thing. It’s always sad when those people let you down.