I'm about to turn on cross database ownership chaining and would like to know if IN MY CASE it is safe to do so. The only login account with any database roles other than public is the sa account.
It's my intention to assign a login account (and hard code it) for each application that accesses the server and assign only the privileges needed for that application. However, I need to be able to access multiple databases within one SP. Hence the need to turn on cross database ownership chaining.
My question is: if someone where to discover the login account information for the application, could they then use the security vulnerability associated with cross database ownership chaining to gain sa rights in this situation? I've read as much as I could find on the subject, but I'm not so sure that I really understand how the vulnerability works...I think I'm ok in this situation, but I'm just not sure. Can you help?
-Karl
[red] Cursors, triggers, user-defined functions and dynamic SQL are an axis of evil![/red]
[green]Life's uncertain...eat dessert first...www.deerfieldbakery.com[/green]
It's my intention to assign a login account (and hard code it) for each application that accesses the server and assign only the privileges needed for that application. However, I need to be able to access multiple databases within one SP. Hence the need to turn on cross database ownership chaining.
My question is: if someone where to discover the login account information for the application, could they then use the security vulnerability associated with cross database ownership chaining to gain sa rights in this situation? I've read as much as I could find on the subject, but I'm not so sure that I really understand how the vulnerability works...I think I'm ok in this situation, but I'm just not sure. Can you help?
-Karl
[red] Cursors, triggers, user-defined functions and dynamic SQL are an axis of evil![/red]
[green]Life's uncertain...eat dessert first...www.deerfieldbakery.com[/green]
