Findings Group "Security"- Elevated Permissions on a Database for MSDB database in specific

[emad-almousa]

Hi,

This is a suggestion with MSDB database in specific I would recommend to improve the write up to flag the finding as "caution" if the database user under MSDB is granted either "db_owner" or "db_ddladmin" roles as these will lead to privilege escalation attack to SYSADMIN role.

for example:

in Details section: In [msdb], user [tom] has the role [db_ddladmin]. This user can perform privilege escalation attack, an immediate action should be taken.
In [msdb], user [tom] has the role [db_owner]. This user can perform privilege escalation attack, an immediate action should be taken.

I talked about this in my 2 blog posts:

https://databasesecurityninja.wordpress.com/2022/08/28/sql-server-privilege-escalation-from-db_owner-to-sysadmin-by-design/
https://databasesecurityninja.wordpress.com/2024/01/07/sql-server-privilege-escalation-from-db_ddladmin-to-sysadmin/

Finally, Thanks for this great tool that is greatly helping the community.

Regards,
Emad Al-Mousa

[BrentOzar]

Hi. I don't really want to turn sp_Blitz into a security auditing tool. There's definitely an opening in the market if you'd like to build a security assessment tool, and you're welcome to fork sp_Blitz to do that. It's just not something I'm going to work on at this time. (I steer pretty far away from security work.) Thanks though!