Sometimes we have support and maintenance people logged into our Production apps and SQL Server all day long, sometimes hopping in and out to run SQL various queries. However this question isn't about running SQL queries, it is about the RDP connection being open with a user account (admin) being logged in for hours on end. Besides that it is taking up one of the user accounts, what other problems should I cite when discouraging this behavior?
4 Answers
There are security concerns
For example, an attacker who gains any level of access to the victim server, could run a MIMIKATZ attack and retrieve the clear text credentials that remain in memory when a session is active. The same can probably be done for active kerberos keys that have not yet expired.
Also, some antivirus solutions refuse to update when a session is in DISCONNECTED mode.
These two elements came to mind, I'm certain there are more.
- 21
- 2
Since you allow them to log in as administrators, I assume have no real security concerns, so other than that, the only issue is really reliability. Even there, overall, there are probably not many problems with regards to that.
As far as open connections preventing reboots, I actually made a new post today that would solve that: How do you reboot a server when you are not local to it?
The big issue to me would be that, as you said, they are hogging one of your limited number of connections. Assuming that you do not so what I say in the next paragraph, I would definitely configure local computer policy if you are having issues and want to limit sessions. Open gpedit.msc, navigate to Computer Configuration>Administrative Templates>Windows Components>Terminal Services>Sessions and configure whatever time limits you want.
If you have to justify limiting session to superiors, you can just tell them that you can't manage the server if there are no connections. In the alternative, you could buy 5 Terminal Server Licenses, and make it a TS. I actually have done that for a SQL server one of my clients has.
There are several problems:
- When someone logs into the server with the same username then he/she gets the open session. This person could then see some data they are not allowed to see. Especially if the window with the query result is still open.
- This way nobody knows what is happening within this open window. (e.g. is there are query running for several hours.) If now someone else has to log into the server and has no open session then he will kick someone out. And this could then break the database because the query gets aborted.
- 2,011
- 2
- 17
- 26
-
1#1 should never be a problem, because it's a bad practice to share accounts. And if you are sharing accounts, then *by definition*, the people sharing it are allowed to see any data that might be in that session. – mfinni May 26 '11 at 14:06
-
@mfinni: One customer of mine had this situation. Usually external partners have to come to the office and one of the employees will open the RDP session and will sit next to this person. Once another employee left the session open although there wouldn't have be a need for it. And when the first employee opened a session for the external IT partner he got presented with a screen full of information the external partner shouldn't be allowed to see. So as you can see the problems is a little bit more complicated than just sharing accounts. – Raffael Luthiger May 26 '11 at 14:52
-
1That's a policy problem, not an IT problem. – mfinni May 26 '11 at 15:27
There are no "problems" per se other than sucking up resources on the server that don't need to be used. Additionally when a user is logged in, windowa will not automatically reboot the system (for windows update). this arguement can be used to implement time limits for RDP sessions. However you can go one step further and present a case that they have no businesss logging into the server whatsoever.
You should not need to run SQL queries by logging into the server. SQL server management studio runs right on the local workstation. There are remote management tools built into windows that can be leveraged to manage the server itself.
Most troubling is that you say they are all logging in as administrator. This is a Bad Idea for a whole host of reasons. Users should be granted the permissions they need using their own accounts.
- 23,938
- 4
- 35
- 58