Privilege Escalation Without Ownership Chains

In this post, Data Education founder and trainer Adam Machanic discusses the use of privilege escalation without ownership chains. Here, he explains when it does not work and gives two other kinds of privilege escalation that can be used.

Ownership chaining will not work if the object owner does not match the module owner, or if dynamic SQL is used. In these cases, you’ll have to use one of the two other kinds of privilege escalation provided by SQL Server: an extension to stored procedures using the EXECUTE AS clause, or module signing using certificates.

Using the EXECUTE AS clause with stored procedures is an easy and effective method of escalating permissions, but is not nearly as flexible as what can be done using certificates. With certificates, permissions are additive rather than impersonated—the additional permissions provided by the certificate add to, rather than replace, the permissions of the calling principal.