Vendors have bad practices

Posted by Gryyphyn@reddit | sysadmin | View on Reddit | 33 comments

Vendors suck. Why does anyone let vendors build solutions in our environments with bad practices like using named users instead of service accounts for databases? I have a database that runs under a named user account that was built by a vendor and the named account belongs to a person who's no longer there. So of course we've already terminated the user and they're no longer in AD. If I try to create a new user with the same username of course the SID doesn't match so it can't authenticate to the database to do any owner operations or assign a new db_owner. Of course because we let the vendor manage their stuff in our network they didn't add my team as db_owner I can't do anything in the DB and they've lost the default DB creds which they never provided to us in the first place. If anybody has any ideas how I can get past this problem without having to rebuild the database for an existing production solution I would be eternally grateful. And if you work for a vendor: I'm not mad at you but push back against crap practices like this. If you manage a solution for your clients, in their network or yours, it's your responsibility to maintain appropriate access to data and resources. That means making sure you don't delete the only account which has access to those resources. Same goes for everyone, of course.

Reply to Post

33 Comments

[-]

Chance-Brilliant-964@reddit

There are plenty of tools that you can dismount use to reset it. Plenty.

[-]

YumWoonSen@reddit

I've seen vendors ask for an account to use and their contact inside the company says, "Just use my account." Same as I've seen "good IT people" use their accounts instead of a service account. /Don't start me on service accounts with 13-year old passwords

[-]

sirbzb@reddit

With vendor hat on yes, that is too common, people panic when they have failed to prepare. Certainly and absolutely not always but I think the few do believe that vendors control their domains and can create accounts using a magic vendor wand. So are able to create sensible accounts all by themselves on a whim- as that's actually impossible the project then magically gets stuck because there is no account. Someone from IT then panics as they are being charged hourly and jams in the domain admin account credentials 'cos it'll definitely work' and then you go home and repeatedly smash your face through a wall whilst pouring whisky over your head knowing that tomorrow it all starts over again.

[-]

AppIdentityGuy@reddit

Why do people use service accounts instead of GMSAs???

[-]

ozarkpagan@reddit

This is my constant struggle. I'll give very clear requirements prior to the implementation, request a bare minimum of rights, and still end up running services or scheduled tasks under bob_admin@fuckup_msp.com.

[-]

davidgoering@reddit

This is usually the result of a proof of concept that is then promoted to Production. Bad idea, much less work, and horrible practice. Always have a Dev instance for testing, but always build Production to secure best practices, with solid documentation.

[-]

disclosure5@reddit

>Why does anyone let vendors People don't usually have a choice. More of than not some executive buys these products without telling anyone, and the directive from the business will be along the lines of "just make sure that vendor is looked after and don't upset them whatever happens".

[-]

RestinRIP1990@reddit

I don't let vendors do any builds without long discussions and making them adhere to security practices. I usually end up annoyed by them at some point, either their lack of updates or patching, or just bad support. All vendor stuff gets put in dmzs, qnd if they need remote access they uae what we provide, not what they want.

[-]

fp4@reddit

Put it into single user mode and backdoor your way in: https://www.sqlshack.com/recover-lost-sa-password/

[-]

Mr-RS182@reddit

Don’t this a couple times when SA login details have been lost

[-]

Gryyphyn@reddit (OP)

You may have just become my best friend. I'll let you know how it turns out. Thanks!

[-]

Teximus_Prime@reddit

This should be the answer. Once you have control over the instance again, you can reassign permissions and ownership as you need.

[-]

Nearby-Row1851@reddit

Just had to use this method last week and it worked like a charm. Hopefully it works for you too!

[-]

MNmetalhead@reddit

You should see the shit healthcare software vendors do. “What do you mean you can’t have a system in your environment that runs _only_ Windows Pro with an autologon for a local account named ‘admin’ that has SA access to the local SQL database we’re running?”

[-]

Gryyphyn@reddit (OP)

It's like you know where I work...

[-]

MNmetalhead@reddit

I did some time doing desktop support for a healthcare environment.

[-]

ValidDuck@reddit

> And if you work for a vendor I work for a vendor selling solutions... We're almost certainly not selling to you. The people we sell to dictate the procedures and practices we have to follow. In the absence of that our company would absolutely push minimum security solutions... because it's cheaper and easier and faster. We've spent the last two weeks validating our entire deployment architecture against our clients requirements. We're producing detailed reports attesting that either we are in compliance with the requirement, or we are not in compliance with the requirement, the reason, and any further mitigations. That's what you get when you spend 7 and 8 digit sums on a solution. (and deal with a company that at least openly claims to take cyber security seriously). We'd be very hard pressed to comply with such standards on lower price tags. (this stuff takes a lot of man hours from highly compensated experts). --- When we find ourselves in your situation.. where we want to deploy a solution from another vendor... they either need to certify that they meet the requirements, or we have to treat it as an insecure/hostile component that can't be trusted. That means network separation, resource separation, and any interconnects are rigorously documented (and proven to be operationally required).

[-]

Gryyphyn@reddit (OP)

It's awesome to see that at least some vendors care and I know they exist. Not all of our vendors are bad. I've become pretty good friends with several, hang out at the bar when they come to wine and dine. I'm glad you're one of those. :)

[-]

ValidDuck@reddit

like i said... if the pay for the contracts wasn't stupid high and they didn't have their own security requirements... we'd almost certainly be pushing crap, telling you to run it as admin, and open your firewall wide open. There's just more money to be made operating that way than by accepting normal commercial grade contracts and then trying to conform your product to random security standards set by random it departments. It's pretty rare to find vendors that sell products that aren't regulated or used in highly regulated environments that actually take pride in cyber security... especially when best practices mean slow or complicated deployments....

[-]

Gryyphyn@reddit (OP)

I'll take a slow, robust, and properly structured deployment to a pile of garbage I gotta spend the next couple years fixing. Colossal waste of my time.

[-]

fieroloki@reddit

I think we can all agree that this could have been summed up with the first 2 words.

[-]

TheBestHawksFan@reddit

Me, looking at the title and not the body, “I don’t think vendors have is a full sentence”

[-]

ISeeTheFnords@reddit

Neither is "Why does"

[-]

TheBestHawksFan@reddit

Originally it said “vendors suck.” First.

[-]

Gryyphyn@reddit (OP)

Yeah, after vendor dude posted I felt it was a bit confrontational to unintended good folks.

[-]

fieroloki@reddit

Ok, that's fair.

[-]

253IsHome@reddit

Bro if they built the solution autonomously and then *lost the sa password*, forcing you into a rebuild scenario, push hard to make them pay for that. Or restore the AD account from application-aware Veeam. Which you have. Right?

[-]

Gryyphyn@reddit (OP)

Yes, but not old enough. The AD account was deleted two years ago. I have my guys looking through backups but I'm not hopeful.

[-]

253IsHome@reddit

Fortunately, if this is MSSQL, there has historically been a way to issue SQL commands after launching the server in single user mode to re-establish a working login. I don't know if you have other hurdles preventing that, but it's traditionally doable.

[-]

DodgeCharger6@reddit

Honestly.... your IT sucks. You guys allowed a vendor to install a SQL server on your guy's env and didn't document a SA password? If they used his account as a service account it means he was probably aware that his account was being used and was okay with it. If it was a SQL server you guys set up then it all falls on you. After all this you decide to put all the blame on the vendor? lol  Was this entire SQL server created by the vendor or yourself? You can try seeing if the local admin account on the server has access to the server. (assuming this is MSSQL).

[-]

Gryyphyn@reddit (OP)

Ho now, slow down. I inherited the poop parade. I don't let people get away with not documenting creds. But I have had more than one vendor try to maintain a no stance on giving us their creds for exactly this reason. It's my data. I don't care if they're managing it. I have tried the accounts I have documented but none of them are db_owner. And yes, it's MSSQL.

[-]

DodgeCharger6@reddit

Are these other accounts sysadmin on the server? They don't need to be db\_owner to manage the databases. When you first set up MSSQL server it automatically adds the account you are logged into as a sysadmin of the server. Check if it they installed it with the local admin account.  But yeah, a lot of these vendors are outsourcing their IT to other countries, which I agree sucks but as sys admins we are the gatekeepers of our envs.

[-]

Gryyphyn@reddit (OP)

I wish that were the case. Unfortunately they did something atypical with the build. I can manage the sys dbs, not "theirs". Someone else suggested back door recovery of the sa which I didn't think of. Fingers crossed...