RPC on SQL Server Accounts
Overview
This address using a Secret Server privileged account to change SQL Server accounts. This enables taking over those accounts without knowing their password.
Creating the Account
-
Open SQL Server Management Studio.
-
Connect to your database server.
-
Expand the root-level security folder.
-
Right-click the Logins folder and select New Login.
-
Give the account a log on name.
-
Select SQL authentication.
-
Go to Secret Server.
-
Create a secret using the SQL Server Account template.
-
Assign it the desired username .
-
Click the Generate button on the secret password field to create a password.
-
Copy that password to the account creation wizard in SQL Server Management Studio.
-
Click the OK button to save the secret.
Assign Permissions
- In SQL Server Management Studio, go to Security > Logins in the object explorer.
- Right click on the SQL login object and select Properties. The Login Properties dialog box appears.
- Select Securables in the Select a page list.
- Find the Alter any login permission on the Explicit tab at the bottom of the dialog box.
- Click to select the Grant check box for that permission.
- Click the OK button.
- Similarly, enable the Control Server permission. This is for changing the target logins that are members of the sysadmin fixed server role or grantees of this permission.
Using the Account
-
In Secret Server, open the SQL Server secret that you created.
-
Click the Remote Password Changing tab.
-
Click the Edit link.
-
Click to select Privileged Account Credentials in the Change Password Using selection buttons. The Privileged Account section appears.
-
Click the No Secret Selected link.
-
Select the secret you created earlier. The secret appears in the Privileged Account section.
-
Click the Save button.
-
Click the Change password remotely button.
-
Provide or generate a new password.
-
Click the Change button. You have now successfully changed a SQL Server account password using a privileged account.
