To: Boogieman
I'm reluctant to explain this again today, because I went around on this topic yesterday.
Also, the BAIT to get people to this conference was packet captures proving Chinese interference. Now we are SWITCHing the topic to talk about whether batch files can hack SQL Server.
They can't. Let's use your example, my AD account is CORP\joe. I'm dbo on a database. I create a batch file job in Task Scheduler (why would I ever do this??? Database maintenance jobs run in SQL Agent). I get demoted, and my CORP\joe creds are lowered (or elevated, you pick). When my nonsensical scheduled task runs under the context of CORP\joe, the permissions I have to the DB in this moment are applied, not when the job was created.
If you think database permissions are that unsophisticated, there isn't anything I can say to you that will register.
To: Technical
“When my nonsensical scheduled task runs under the context of CORP\joe, the permissions I have to the DB in this moment are applied, not when the job was created.”
The idea is you run the task under the actual server administrator account, not your own AD account. That account is not going to be demoted, so it will still have permission to run a query later on, even when your own AD/SQL permissions are gone. It may seem to be of limited utility, but it’s still an exploit.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson