Careful With Trustworthy Setting

Trustworthy database setting is an easy solution for some problems in the server, especially cross database access. However, this setting has also a security problem in some scenarios.

The scenario that has a security break is the following:

  1. One or more databases are owned by a user with ‘sysadmin’ rights. If the databases were created by a ‘sysadmin’ and the owner didn’t change after that this will happen
  2. Some logins that aren’t ‘sysadmin’ were included in ‘db_owner’ database role of some databases, but not all.
  3. The trustworthy setting is enabled for these databases, owned by ‘sysadmin’ and with one or more logins in ‘db_owner’ database role.

The security break: The users in ‘db_owner’ database role can include themselves in System Administrators server role and take control of the server.

Let’s see an example.

Unless you are completely sure this security break will not be a problem for your environment, you shouldn’t enable trustworthy. Instead enabling trustworthy you can use certificates to sign modules such as stored procedures and achieve the same result with more security.