Database Access: The Principle of Least Privilege by Adam Machanic, Microsoft MVP and founder of Data Education Read the full article at http://dataeducation.com/blog/database-access-the-principle-of-least-privilege

User should have access to only the bare minimum set of resources required for only the amount of time needed. More of an ideal goal in practice Many systems do not allow privilege to be easily escalated dynamically. Windows-based solutions have not historically been engineered to use escalation of privilege as a way to gain additional access at run time. Minimum Required Access

Reauthentication: Logging out and resending credentials, stopping whatever is running Impersonation: Allows a process to temporarily escalate its privileges, taking on the rights held by the impersonated principal Impersonation vs. Reauthentication

Many non-Windows operating systems Originally designed for multiuser access Possible to impersonate other users when access to a resource owned by that user is required UNIX’s su command Most common example of impersonation at an operating system level Allows a user to temporarily take on the identity of another user Easily reverts back when done UNIX Impersonation

Windows systems can handle a degree of impersonation Microsoft has only recently provided APIs that make this as convenient as in UNIX systems. Example: .NET WindowsIdentity class Permissions in Windows systems are typically provided using Access Control Lists (ACLs). Granting permission means adding a user to the list. User can access the resource repeatedly, even after logging in and out of the system. Provides no additional security if, for instance, an attacker takes over an account By taking control of an account, the attacker automatically has full access to every resource that the account has permission to access. Permissions in Windows Systems

User is required to effectively request access to the resource each time access is required. Rights to the resource only maintained during the course of impersonation Once the user reverts (i.e., turns off impersonation), additional access rights are no longer granted. If an account is compromised, the attacker will have to also compromise the impersonation context in order to gain access to more secure resources. Control Access with Impersonation

Create users with few or no permissions. Allow them to briefly escalate their privileges when greater access is required. Generally implemented using proxies Users (or other security principals) that have access to a resource but cannot be authenticated externally. Low-privileged external users complemented by higher privileged proxy users provides a buffer against attack The only accounts an attacker can directly compromise from the outside have no permissions. Accessing more valuable resources requires additional work on the part of the attacker, giving you that much more of a chance to detect problems before they occur. Security Through Least Privilege