Security Context of Service Broker Internal Activation

Monday Feb 9th 2009 by Marcin Policht

The previous installment of "SQL Server 2005 Express Edition" discussed Service Broker's internal activation, which allows you to automate communication between initiator and target. Unfortunately, there are some caveats related to its security context. This article describes their specifics and provides a couple of methods to eliminate any undesirable side effects they introduce.

In the previous installment of our series dedicated to the most prominent features of SQL Server 2005 Express Edition, we discussed one of the Service Broker-related technologies known as internal activation. As we have explained, its primary purpose is to trigger execution of an arbitrary stored procedure associated with a Service Broker queue, whenever there is the need to process incoming messages. While such capability offers meaningful benefits, allowing you to automate communication between initiator and target, there are some caveats related to its security context that you should be aware of. In this article, we will describe their specifics and provide a couple of methods, which allow you to eliminate undesired side effects they introduce.

If you decided to customize our example illustrating the new functionality and modified the sample stored procedure, such that its scope extended beyond the database where the Service Broker constructs reside (for example, by referencing objects located in other databases or querying server-level entities, such as linked servers, master system tables, or dynamic management views), you likely to discovered that the results were different, depending on whether you executed it interactively or invoked through internal activation. Interestingly, this somewhat surprising inconsistency does not relate in any way to Service Broker characteristics, but instead is a side effect of the EXECUTE AS clause incorporated into CREATE QUEUE and ALTER QUEUE statements, used to apply activation (via WITH ACTIVATION clause) to initiator and target queues. In short (a more detailed explanation of the underlying cause is provided in the Extending Database Impersonation by Using EXECUTE AS article posted on the MSDN Web site), such behavior is intentional and put into place in order to prevent potential privilege elevation exploits. Impersonation of another user is limited to the local database, with actions that involve other databases and server-wide access defaulting to permissions granted to the guest role.

There are, however, scenarios in which cross-database access is required. In general, you have two options that allow you to work around the built-in restrictions described above. The first one involves designating the database hosting Service Broker objects (including the activated stored procedure) as trustworthy, which in our case, would be accomplished by running the following (note that you must be a member of the sysadmin fixed server role, in order to successfully execute this statement):


In addition, you would need to ensure that a database user responsible for authenticating internally activated stored procedures (typically the database owner) gets associated with a security principal (through a designated SQL Server login), which serves an equivalent role in the database containing cross-referenced objects. Furthermore, that principal should be granted AUTHENTICATE privilege on its database (or AUTHENTICATE SERVER, if server-wide access is required). While this approach is fairly straightforward and relatively simple to implement, it lacks granularity that would allow control to both the level of access and a mechanism used to facilitate it (such as solely via a specific internally activated stored procedures). If such security exposure is not acceptable, you should consider the alternative approach, which leverages digital certificates.

The second, considerably more flexible method of mitigating shortcomings imposed by the EXECUTE AS statement is also significantly more complex. In short, it involves signing a stored procedure assigned to the target Service Broker queue with a locally generated certificate, which also gets associated with a user in the referenced database (in case of cross-database interaction) or a SQL Server login (if access to server-level objects is required). This security principal provides security context in which the activated stored procedure operates outside of its local database (and hence, it also needs to be granted appropriate object level permissions, as well as the AUTHENTICATE or AUTHENTICATE SERVER privilege). However, this extra complexity might be warranted if you take into account the benefits it yields. Since there is one-to-one relationship between the private key and its public counterpart (and the corresponding security principal), you not only have the ability to restrict permissions to absolute minimum, but also ensure that they are available exclusively via the signed stored procedure. In addition, digital signatures provide the guarantee that a stored procedure has not been modified after its signing.

This entire process can be broken into the following individual steps:

  • designating the security context, in which the internally activated stored procedure will be executing by adding WITH EXECUTE AS OWNER clause, following directly the CREATE PROCEDURE or ALTER PROCEDURE, as in the following example (note that, for the sake of brevity, we have omitted the full declaration):
     CREATE PROCEDURE dbo.cspProcessqRecv
      AS (...)
  • creating a certificate in the database, where activation stored procedure and other Service Broker objects are located (we are assuming that the database master key already exists, since we created it in the course of one of our earlier examples. If that is not the case, you can generate it with the CREATE MASTER KEY ENCRYPTION statement or use ENCRYPTION BY PASSWORD clause in the CREATE CERTIFICATE statement):
     -- on srvEnt01
     USE dbSBEnt01
     CREATE CERTIFICATE cert_cspProcessqRecv 
      WITH SUBJECT='cspProcessqRecv Signing Certificate'
  • signing the activation stored procedure using the newly created certificate
     ADD SIGNATURE TO dbo.cspProcessqRecv
      BY CERTIFICATE cert_cspProcessqRecv
  • backing up the certificate (along with its public key) into a file in order to import it afterwards into the target database
     BACKUP CERTIFICATE cert_cspProcessqRecv
      TO FILE = 'c:\Temp\cert_cspProcessqRecv.cer'
  • removing the private key from the certificate to prevent its potential exploit (you can also export it to a file, using BACKUP CERTIFICATE statement including WITH PRIVATE KEY clause, and store it in a secure location)
     ALTER CERTIFICATE cert_cspProcessqRecv
  • transferring certificate to the target database (this could be either the master database - in case system level privileges are required - or another user database if the stored procedure needs to be able to access its objects). This is accomplished by importing it from the previously generated file.
     USE anotherDB
     CREATE CERTIFICATE cert_cspProcessqRecv
      FROM FILE = 'c:\Temp\cert_cspProcessqRecv.cer'
  • creating a user (or a login, if appropriate) in the target database associated with the newly imported certificate and granting AUTHENTICATE or AUTHENTICATE SERVER privilege to it. As mentioned earlier, you will also need to grant to this security principals appropriate permissions on the target objects (specifics depend solely on the type of action that is to be performed by the activated stored procedure, so they are not included in the statements listed below).
     USE anotherDB
     CREATE USER u_cspProcessqRecv
      FROM CERTIFICATE cert_cspProcessqRecv
     GRANT AUTHENTICATE TO u_cspProcessqRecv

Note that you should be able to discover any potential problems caused by the EXECUTE AS statement by simply using it to interactively invoke any stored procedures you are planning to employ in Service Broker activation solutions. We are hoping that the information presented in this article will help you deal with any issues you might run into during such tests. In our next article, we will cover transactional characteristics of Service Broker conversations.

» See All Articles by Columnist Marcin Policht

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved