Admittedly, using Cross-Database Ownership Chaining and/or Impersonation and/or
TRUSTWORTHYare quicker and easier to implement than Module Signing. However, the relative simplicity in understanding and implementing these options comes at a cost: the security of your system.
- Cross-DB Ownership Chaining:
- security risk (can spoof User / DB-level)
db_ownerusers can create objects for other owners
- Users with
CREATE DATABASEpermission can create new databases and attach existing databases
IMPERSONATEpermission is required:
- can be used any time
- No granular control over permissions
- Cross-DB operations need
- Need to use
- Elevated permissions last until process / sub-process ends or
- Bigger security risk
- can also spoof Logins, such as “sa” !
- If using SQLCLR Assemblies, no per-Assembly control of ability to be marked as either
UNSAFE; all Assemblies are eligible to be marked as either of those elevated permission sets.
The common theme across all three areas is no control, within a Database, over who or what can make use of the feature / option, or when it can be used.
Read the whole thing.