Avoid Impersonation And The Trustworthy Flag

Solomon Rutzky explains how you can use module signing to avoid the security risks which come with impersonation and setting Trustworthy on:

Admittedly, using Cross-Database Ownership Chaining and/or Impersonation and/or TRUSTWORTHY are quicker and easier to implement than Module Signing. However, the relative simplicity in understanding and implementing these options comes at a cost: the security of your system.

• Cross-DB Ownership Chaining:
  • security risk (can spoof User / DB-level)
  • db_ddladmin & db_owner users can create objects for other owners
  • Users with CREATE DATABASE permission can create new databases and attach existing databases
• Impersonation:
  • If IMPERSONATE permission is required:
    • can be used any time
    • No granular control over permissions
  • Cross-DB operations need TRUSTWORTHY ON
  • Need to use ORIGINAL_LOGIN() for Auditing
  • Elevated permissions last until process / sub-process ends or REVERT
• TRUSTWORTHY:
  • Bigger security risk
    • can also spoof Logins, such as “sa” !
    • If using SQLCLR Assemblies, no per-Assembly control of ability to be marked as either EXTERNAL_ACCESS or UNSAFE; all Assemblies are eligible to be marked as either of those elevated permission sets.

The common theme across all three areas is no control, within a Database, over who or what can make use of the feature / option, or when it can be used.

Read the whole thing.