{"id":3315,"date":"2014-06-23T16:21:54","date_gmt":"2014-06-23T15:21:54","guid":{"rendered":"http:\/\/andreas-wolter.com\/sql-server-datenbankbesitz-umfrageergebnisse-und-empfehlungen\/"},"modified":"2026-01-27T20:36:16","modified_gmt":"2026-01-28T01:36:16","slug":"sql-server-database-ownership-survey-results-recommendations","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/sql-server-database-ownership-survey-results-recommendations\/","title":{"rendered":"SQL Server Database Ownership: survey results &#038; recommendations"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-ux089f-c551b1102b6606b8b242f0faac9d811e\">\n#top .av-special-heading.av-ux089f-c551b1102b6606b8b242f0faac9d811e{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-ux089f-c551b1102b6606b8b242f0faac9d811e .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-ux089f-c551b1102b6606b8b242f0faac9d811e .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-ux089f-c551b1102b6606b8b242f0faac9d811e av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >SQL Server Database Ownership: survey results <span class='special_amp'>&amp;<\/span> recommendations<\/h3><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-secjz7-f3e391d109b2c55846c5d00b5bd136f7 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>You may remember the <a href=\"https:\/\/andreas-wolter.com\/en\/security-check-script-survey-sql-server-security\/\">survey on database ownership<\/a> which I launched several months ago.<\/p>\n<p>In the following, I am now presenting the results and giving my official recommendation for a best practice for security in terms of database ownership. First, if you still need the script:<!--more--><\/p>\n<p><a href=\"https:\/\/andreas-wolter.com\/downloads\/1312_database_owner_permissions_roles.sql.txt\">https:\/\/andreas-wolter.com\/downloads\/1312_database_owner_permissions_roles.sql.txt<\/a><\/p>\n<p>Now first <strong>the results<\/strong>. I received data from <strong>58 different servers and 905 databases<\/strong> altogether. That\u2019s not bad, and sufficient for my purpose of giving you, my readers, the opportunity to find out how others configure their servers.<\/p>\n<p style=\"text-align: center;\"><em>Many thanks to all those who submitted!<\/em><\/p>\n<p>You may still share results but I can\u2019t promise how soon I can include them. (<a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2013\/12\/survey-sql-server-database-ownership-datenbankbesitzer\" target=\"_blank\" rel=\"noopener\">Here is the survey plus the script for collection<\/a>) So now to the details. I put the most interesting data in charts. The most obvious issue is that of the <em>external owner\u2019s <\/em>account, which is most often and not very surprisingly <strong><em>sa<\/em><\/strong>:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-rvebsj-d311686f49688fe5b23249e738683a18\">\n.avia-image-container.av-rvebsj-d311686f49688fe5b23249e738683a18 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-rvebsj-d311686f49688fe5b23249e738683a18 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-rvebsj-d311686f49688fe5b23249e738683a18 av-styling- avia-align-center  avia-builder-el-2  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3305 avia-img-lazy-loading-not-3305 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_External_Database_Owner_pct.png\" alt='' title='1406_SQL_Server_External_Database_Owner_pct'  height=\"222\" width=\"423\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_External_Database_Owner_pct.png 423w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_External_Database_Owner_pct-300x157.png 300w\" sizes=\"(max-width: 423px) 100vw, 423px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-p0v9pf-ebfa69012e21a7d1b1fe87c537640b6d '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>57% of all databases belong to <em>sa<\/em> itself. Actually, this is better than expected. But let\u2019s dive deeper \u2013 what\u2019s the <em>server role<\/em> behind the remaining 42%?<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-ohvr83-df0558a3610f9d2befb41c0178e5c2f9\">\n.avia-image-container.av-ohvr83-df0558a3610f9d2befb41c0178e5c2f9 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-ohvr83-df0558a3610f9d2befb41c0178e5c2f9 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-ohvr83-df0558a3610f9d2befb41c0178e5c2f9 av-styling- avia-align-center  avia-builder-el-4  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3307 avia-img-lazy-loading-not-3307 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_pct.png\" alt='' title='1406_SQL_Server_Role_Membership_of_Database_Owner_pct'  height=\"361\" width=\"707\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_pct.png 707w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_pct-600x306.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_pct-300x153.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_pct-705x360.png 705w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_pct-450x230.png 450w\" sizes=\"(max-width: 707px) 100vw, 707px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-mohxkj-6749d42ed88b3304887247f208f26e9f '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Ok, that changes the picture quite a bit. <strong>Almost 80% of all Database owners are <em>sysadmin<\/em><\/strong>. So that is by no means any better than <strong><em>sa<\/em><\/strong>.<\/p>\n<p>Then some other accounts follow, which means those have low privileges (\u201cexcellent\u201d), and then comes <strong><em>dbcreator<\/em><\/strong>, <strong><em>securityadmin<\/em><\/strong>, that are later followed by some other high privileged server roles, though with much less power. So in other words: <strong>only 7% of all those databases have been looked at with security in mind<\/strong> by only using low privileged accounts as owners.<br \/>\nIf you are interested in the plain numbers, here they go:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-l1935v-bb857910147a3e3dc08d359b119e83c0\">\n.avia-image-container.av-l1935v-bb857910147a3e3dc08d359b119e83c0 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-l1935v-bb857910147a3e3dc08d359b119e83c0 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-l1935v-bb857910147a3e3dc08d359b119e83c0 av-styling- avia-align-center  avia-builder-el-6  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3311 avia-img-lazy-loading-not-3311 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_num.png\" alt='' title='1406_SQL_Server_Role_Membership_of_Database_Owner_num'  height=\"268\" width=\"278\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_num.png 278w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Role_Membership_of_Database_Owner_num-36x36.png 36w\" sizes=\"(max-width: 278px) 100vw, 278px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-j1dn0j-66f62f9de9c3becc6d101d9a87a15e1b '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>I did include some of the security-wise critical database- &#038; server configurations:<\/p>\n<ol>\n<li>Is the database set to be \u201c<strong><em>Trustworthy<\/em><\/strong>\u201d?<\/li>\n<li>Is the database set to have \u201c<strong><em>Database chaining on<\/em><\/strong>\u201d?<\/li>\n<li>Is the Server set to have <strong><em>\u201ccross database chaining on<\/em><\/strong>\u201d?<\/li>\n<\/ol>\n<p>Those are actually the even more important results.<br \/>\nSince the system databases need to have a different setting by default, I am excluding them, making it a total of 847 User databases. <strong>Of which 30 have the trustworthy bit set to on, and 35 have the database chaining.<\/strong><br \/>\nWhat you can\u2019t see in this graph, but what I can tell from the raw data, is that those 30 \u201ctrustworthy\u201d databases all are <strong>owned by a <em>sysadmin<\/em><\/strong>.<br \/>\nAnd <strong>THIS now is the biggest security-hole in this area! <\/strong><\/p>\n<p>Here a graph on that:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-grae4j-722039a50aee01e57666be21badd423e\">\n.avia-image-container.av-grae4j-722039a50aee01e57666be21badd423e img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-grae4j-722039a50aee01e57666be21badd423e .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-grae4j-722039a50aee01e57666be21badd423e av-styling- avia-align-center  avia-builder-el-8  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3309 avia-img-lazy-loading-not-3309 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Critical_Database_Settings_num.png\" alt='' title='1406_SQL_Server_Critical_Database_Settings_num'  height=\"289\" width=\"546\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Critical_Database_Settings_num.png 546w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Critical_Database_Settings_num-300x159.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1406_SQL_Server_Critical_Database_Settings_num-450x238.png 450w\" sizes=\"(max-width: 546px) 100vw, 546px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-1n4mn7-faa4016386829255994904468b94db0b '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>In the interest of time I will focus this post on recommendation rather than explaining all the risks involved. At the end though I will provide some links for further reading.<\/p>\n<p><strong>Possibilities<\/strong><\/p>\n<p>So what are the general variations of database ownership? Let me start with the most common and actually <u>WORST<\/u> possibilities (Yes, I mean it exactly as I say \ud83d\ude09 ):<\/p>\n<ol>\n<li><strong>SA<\/strong>-Account<\/li>\n<li>Some other <strong>SQL-Account<\/strong> with <strong><em>sysadmin<\/em><\/strong> privileges<\/li>\n<li><strong>Windows Login<\/strong> with <strong><em>sysadmin<\/em><\/strong> privileges<\/li>\n<\/ol>\n<p>A first improvement(? \u2013 really?):<\/p>\n<p style=\"padding-left: 30px;\">4. Any of the above with <em>Status = Disabled<\/em><\/p>\n<p>And then:<\/p>\n<p>5. A <strong>\u201dshared\u201d account<\/strong> without any special server role or permissions (aka \u201c1 Account per Server\u201d)<\/p>\n<p>6.<b><strong> 1 Account per Database<\/strong><\/b><\/p>\n<p>7. <strong>1 Account per Application<\/strong><\/p>\n<p>8. <strong>1 Account per Group <\/strong>of databases<\/p>\n<p>+ all of them not only Disabled but with a Denied Connect-Permission<\/p>\n<p><strong>My Recommendation: <\/strong><\/p>\n<p>Depending on your environment: Any of 5, 6, 7 or 8:<\/p>\n<p>Create a specific Login without any extra permissions + <em>Deny Connect<\/em>.<\/p>\n<p>The most simple approach and yet better than sa is: <strong>one database owner per server<\/strong>.<\/p>\n<p><strong>Example for (5):<\/strong><\/p>\n<ul>\n<li>Database1 owned by <strong>DBOwner<\/strong><\/li>\n<li>Database2 owned by <strong><em>DBOwner<\/em><\/strong><\/li>\n<li>Database3 owned by <strong><em>DBOwner<\/em><\/strong><\/li>\n<\/ul>\n<p>Simple and self-explanatory.<\/p>\n<p>The other extreme and most secure is: <strong>per database<\/strong>.<\/p>\n<p><strong>Example for (6):<\/strong><\/p>\n<ul>\n<li>Database1 owned by <strong><em>DBOwner_Database1<\/em><\/strong><\/li>\n<li>Database2 owned by <strong><em>DBOwner_Database2<\/em><\/strong><\/li>\n<li>Database3 owned by <strong><em>DBOwner_Database3<\/em><\/strong><\/li>\n<li>Database4 owned by <strong><em>DBOwner_Database4<\/em><\/strong><\/li>\n<\/ul>\n<p>Some applications use a number of different databases. For them it\u2019s perfectly fine to use the same database owner account. So create an account <strong>per application.<br \/>\n<\/strong><\/p>\n<p><strong>Example for (7):<\/strong><\/p>\n<ul>\n<li>App1Database1 owned by <strong><em>DBOwner_App1<\/em><\/strong><\/li>\n<li>App1Database2 owned by <strong><em>DBOwner_App1<\/em><\/strong><\/li>\n<li>App2Database1 owned by <strong><em>DBOwner_App2<\/em><\/strong><\/li>\n<li>App2Database owned by <strong><em>DBOwner_App2<\/em><\/strong><\/li>\n<\/ul>\n<p>Another approach is kind of a compromise between 1 Database-Owner Account per Server and One per database: Define the level of security needed per database. Then create a <strong>dedicated account for the most critical Databases<\/strong>. And <strong>for the others use a shared owner\/account, possibly divided in 2 or more groups<\/strong>.<\/p>\n<p><strong>Example for (8):<\/strong><\/p>\n<ul>\n<li>CriticalDatabase1 owned by <strong><em>DBOwner_Level1Dedicated1<\/em><\/strong><\/li>\n<li>CriticalDatabase2 owned by <strong><em>DBOwner_ Level1Dedicated2<\/em><\/strong><\/li>\n<li>Level2Database1 owned by <strong><em>DBOwner_Level2<\/em><\/strong><\/li>\n<li>Level2Database2 owned by <strong><em>DBOwner_Level2<\/em><\/strong><\/li>\n<\/ul>\n<p>I hope my samples give you an idea. \ud83d\ude42<\/p>\n<p>So why this effort?<br \/>\nLet me put it this way: <strong>\u201dWhy not sa?\u201d<\/strong>.<\/p>\n<p>First: If you think about it, it actually makes little sense that the highest privileged account in SQL Server is being recommended by so many, even professionals + in Whitepapers (!) \u2013 when security is the focus. It is really wrong, as wrong as it could possibly get. I mean, as you can see, there are other options out there.<\/p>\n<p><strong>The top reason why SA keeps getting recommended is administration itself: It eases the setup for failover and regular database restores<\/strong>, since SA is always available at any server and hence a <em>broken database owner<\/em> can be avoided with almost no extra work. But that\u2019s \u201conly\u201d from a perspective of maintenance. With regard to security it is totally on contrary to the <strong><em>Principle of least privilege<\/em>.<\/strong><\/p>\n<p>It may not matter a lot, if everything else is tightened, but that\u2019s hardly a thing to rely on especially in bigger environments where things change and many people have access and permissions to. Especially in the context of the trustworthy-setting for a database, this completely opens the system for <a href=\"https:\/\/en.wikipedia.org\/wiki\/Privilege_escalation\" target=\"_blank\" rel=\"noopener\">privilege escalation<\/a> attacks from inside. <strong>It is then a piece of cake to gain system level permissions once you are for example in the <em>db_owner <\/em>database group<\/strong> \u2013 like many applications are, if they are not <em>sysadmin<\/em> already.<\/p>\n<p>&#8211; Remember: the owner of a database cannot be denied anything inside and with his database. So he can change structure, create backups, break log-backup-chain and also drop it completely.<\/p>\n<p>And since the attack starts from inside, it really doesn\u2019t matter whether the <em>sa\/sysadmin<\/em> account is disabled as you may now realize. Having a dedicated account with zero special permissions as database owner prevents database principals from gaining system level permissions as a <em>sysadmin<\/em> has, even in the case of the database being <em>trustworthy<\/em>. And <em>trustworthy<\/em> is one of the dirty little shortcuts for developers implementing CLR code inside the database and avoiding the hassle of having to use certificates under certain conditions. The same is often done for code that needs to get server-level data from inside the database.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-1gskrn-99db6c0e2c43f6b0acc41c0d73d0e6a5 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><strong>Call for actions:<\/strong><\/p>\n<p><strong>Check your databases<\/strong>. You can find my script here: <a href=\"https:\/\/andreas-wolter.com\/en\/security-check-script-survey-sql-server-security\/\">Security-Check-Script &#038; Survey: SQL Server Security &#8211; Database-Owners, critical Permissions and role membership<\/a> Now when you start with securing your databases from database-ownership standpoint, you have to make sure that the very account does exist at any sever where this database gets restored\/failed over. Usually you will have a technique in place already to synchronize your server-level principals to your other servers. So this is just one or several more of them. Also make sure you fully understand your environment and possibly application needs before you just change the owner of your databases. You can start by reading through the links at the bottom.<\/p>\n<p><strong>Vote for an improvement in SQL Server: <\/strong>I have created a suggestion as Connect Item which tackles this problem. My idea is having Microsoft include a special \u201cDBOwner\u201d Account at server level by default, which not only pre-exists and has not permissions, but also never compares to another. I think this would make it much easier to get rid of the habit of \u201csa\u201d everywhere by also making it simple to maintain.<\/p>\n<p>Please vote here: <a href=\"https:\/\/connect.microsoft.com\/SQLServer\/feedback\/details\/903782\/providing-a-special-server-principal-for-database-ownership\" target=\"_blank\" rel=\"noopener\">Providing a special Server principal for Database Ownership<\/a><\/p>\n<p>I hope this was helpful.<br \/>\nIf you have any questions feel free to comment. Let me finish up with some links for <strong>further readings:<\/strong><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-d60r9f-ca22232dbdb1577a9d2db51ce618fd43 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Highly recommended reading:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/www.sommarskog.se\/grantperm.html\" target=\"_blank\" rel=\"noopener\">Giving Permissions through Stored Procedures Ownership Chaining, Certificates and the Problematic EXECUTE AS from Erland Sommarskog<\/a><\/p>\n<p>More on Disabling and Deny Connect:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"https:\/\/andreas-wolter.com\/en\/disable-and-deny-login-deny-user-effect-on-impersonation-and-permissions\/\">DISABLE and DENY LOGIN, DENY USER &#038; Effect on Impersonation and Permissions<\/a><\/p>\n<p>More on Trustworthy:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/blogs.msdn.com\/b\/sqlsecurity\/archive\/2007\/12\/03\/the-trustworhy-bit-database-property-in-sql-server-2005.aspx\" target=\"_blank\" rel=\"noopener\">The TRUSTWORHY bit database property in SQL Server 2005<\/a><\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/msdn.microsoft.com\/de-de\/library\/ms187861.aspx\" target=\"_blank\" rel=\"noopener\">TRUSTWORTHY Database Property<\/a><\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/technet.microsoft.com\/en-us\/library\/ms188304%28v=sql.105%29.aspx\" target=\"_blank\" rel=\"noopener\">Extending Database Impersonation by Using EXECUTE AS<\/a><\/p>\n<p>Discussions:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/social.msdn.microsoft.com\/Forums\/sqlserver\/en-US\/87806f1a-ec75-464b-a563-a6f2e1b486d6\/databaseobject-ownership-misalignment?forum=sqlsecurity\" target=\"_blank\" rel=\"noopener\">Database\/Object Ownership Misalignment<\/a><\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/social.msdn.microsoft.com\/Forums\/sqlserver\/en-US\/5ed943be-0a8d-4e6d-a96d-01dd66860cdf\/database-ownership-sa-disabled?forum=sqlsecurity\" target=\"_blank\" rel=\"noopener\">database ownership &#8211; sa disabled<\/a><\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Happy Securing<\/p>\n<p>Andreas<\/p>\n<\/div><\/section>\r\n\r\n<div  class='hr av-a4la9v-59da167ed0c55f98f6aa3a0aa6743faf hr-default  avia-builder-el-12  el_after_av_textblock  el_before_av_one_full '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-8lxh83-3fe92e3aad594ed48b048ff630c6f082\">\n#top .flex_column.av-8lxh83-3fe92e3aad594ed48b048ff630c6f082{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-8lxh83-3fe92e3aad594ed48b048ff630c6f082{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-8lxh83-3fe92e3aad594ed48b048ff630c6f082{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-8lxh83-3fe92e3aad594ed48b048ff630c6f082 av_one_full  avia-builder-el-13  el_after_av_hr  el_before_av_social_share  first flex_column_div av-zero-column-padding  '     ><section  class='av_textblock_section av-6wt49f-701203548009bc09607971c96b8e3dc2 '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='av-social-sharing-box av-k5do3-94d54810b78413e2047f8436f7f5de4c av-social-sharing-box-default  avia-builder-el-15  el_after_av_one_full  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/sql-server-database-ownership-survey-results-recommendations\/&#038;t=SQL%20Server%20Database%20Ownership%3A%20survey%20results%20%26%20recommendations\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=SQL%20Server%20Database%20Ownership%3A%20survey%20results%20%26%20recommendations&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3315\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=SQL%20Server%20Database%20Ownership%3A%20survey%20results%20%26%20recommendations&#038;url=https:\/\/andreas-wolter.com\/en\/sql-server-database-ownership-survey-results-recommendations\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-3k1c77-7f1fd7caebd4b83b6261b86ce78f62c4\">\n#top .hr.hr-invisible.av-3k1c77-7f1fd7caebd4b83b6261b86ce78f62c4{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-3k1c77-7f1fd7caebd4b83b6261b86ce78f62c4 hr-invisible  avia-builder-el-16  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-23mjtf-9d1b5c789971f080f2d41e74a110561a  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"You may remember the survey on database ownership which I launched several months ago. In the following, I am now presenting the results and giving my official recommendation for a best practice for security in terms of database ownership. First, if you still need the script:","protected":false},"author":4,"featured_media":3309,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[121,57,133],"tags":[220,221,27,187],"class_list":["post-3315","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripts-en","category-security-en","category-surveysumfragen","tag-database-owner-en","tag-db-sicherheit-en","tag-security-en","tag-survey-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3315","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3315"}],"version-history":[{"count":6,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3315\/revisions"}],"predecessor-version":[{"id":3318,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3315\/revisions\/3318"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/3309"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3315"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3315"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3315"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}