patternsqlMinor
Are passwordless logins like ##MS_SQLResourceSigningCertificate## , ##MS_AgentSigningCertificate## a vulnerability?
Viewed 0 times
ms_agentsigningcertificatems_sqlresourcesigningcertificatevulnerabilityareloginslikepasswordless
Problem
I'm new to MS SQL Server.
Colleagues working in IT security, have run an scan showing come DB users with null password.
Some of them are ( # included )
I suspect they are not a security threat but, since they don't use Windows Authentication either, I don't know how to support that assumption.
What are these logins for ?
Colleagues working in IT security, have run an scan showing come DB users with null password.
Some of them are ( # included )
##MS_SQLResourceSigningCertificate##
##MS_SQLReplicationSigningCertificate##
##MS_SQLAuthenticatorCertificate##
##MS_PolicySigningCertificate##
##MS_SmoExtendedSigningCertificate##
##MS_AgentSigningCertificate##I suspect they are not a security threat but, since they don't use Windows Authentication either, I don't know how to support that assumption.
What are these logins for ?
Solution
These logins are created from a certificate. In fact, if you run the following query:
You will see that they are of type
Logins created from certificates or asymmetric keys are used only for code signing. They cannot be used to connect to SQL Server.
select
name,
type_desc
from sys.server_principals
where type = 'c';You will see that they are of type
CERTIFICATE_MAPPED_LOGIN. They are used typically to sign code. And you cannot use a certificate mapped login to connect with SQL Server. Please see this BOL reference on CREATE LOGIN:Logins created from certificates or asymmetric keys are used only for code signing. They cannot be used to connect to SQL Server.
Code Snippets
select
name,
type_desc
from sys.server_principals
where type = 'c';Context
StackExchange Database Administrators Q#47999, answer score: 4
Revisions (0)
No revisions yet.