Are there any risks to granting users SQL Server SHOWPLAN permission?
https://dba.stackexchange.com/questions/10406
-
16-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm doing some performance tuning on a large SQL server 2008 database, and the IT group is unwilling to give SHOWPLAN permission. In the past, "Show Execution Plan" has been the most effective way to understand the performance of individual queries and procedures.
What risks are inherent on granting this permission? Is there a legitimate justification for this restriction on a development copy of the database?
Note: This SQL IT group has 200+ databases under a single SQL Server instance. Thanks.
Answer: I am taking the lack of response to mean that there are no significant security risks, other than the one noted below. Basically, restricting this on a development database is counterproductive.
I will update this if anyone comes up with a better answer. Thanks for your comments!
Solution
Take a look at Showplan Security in Books Online, which says:
Users who have
SHOWPLAN,ALTER TRACE, orVIEW SERVER STATEpermission can view queries that are captured in Showplan output. These queries may contain sensitive information such as passwords. Therefore, we recommend that you only grant these permissions to users who are authorized to view sensitive information, such as members of the db_owner fixed database role, or members of the sysadmin fixed server role. We also recommend that you only save Showplan files or trace files that contain Showplan-related events to a location that uses the NTFS file system, and that you restrict access to users who are authorized to view sensitive information.For example, consider the following query:
SELECT COUNT(*) FROM table_1 WHERE column_1 < 10If a malicious user produces Showplan output for a set of queries like this example, and replaces the value "10" in the predicate with different constants each time, the user could infer an approximate data distribution of the column values for column_1 in table_1 by reading the estimated row counts.
This risk does seem negligible, especially given this is a development server, where all queries would be from devs and IT people, not users.
