HiveBrain v1.2.0
Get Started
← Back to all entries
patternsqlMinor

Security and Performance implications of "View Server State"

Submitted by: @import:stackexchange-dba··
0
Viewed 0 times
serverimplicationsviewsecurityperformancestateand

Problem

This question points out that "View Server State" permission is required for various DMV's (dynamic management views), but I can't find anything about who you do and do not want to grant the permission to.

Now of course I understand "least permissions", and why you wouldn't want to just grant it to anybody, but I can't find any guideance on how to evaluate whether it SHOULD be granted or not.

So, my question: What are the security and performance implications of granting a user "View Server State" permission. What can they do that they maybe shouldn't be allowed to do...

Update: one implication is that the user will be able to use DMV's to look at queries. If the queries or query parameters can contain confidential information that the user wouldn't otherwise be able to see, allowing VIEW SERVER STATE would allow them to do so (i.e. dob = or ssn =).

Solution

There are no significant performance issues that I can think of from granting this permission. From a security perspective, you run the risk of letting a user see what you most details about your weak spots, so for example, a malicious user could view your most common wait stats are, which could help them target a DoS attack against your server.

Is this possible? Definitely.
Is this likely? I'm compelled to say No, but remember that it is estimated that 90 percent of attacks against companies are from internal attackers.

Context

StackExchange Database Administrators Q#27485, answer score: 9

Revisions (0)

No revisions yet.