{"id":3334,"date":"2014-04-26T17:07:36","date_gmt":"2014-04-26T16:07:36","guid":{"rendered":"http:\/\/andreas-wolter.com\/neue-berechtigungen-im-sql-server-2014-und-der-alte-control-server\/"},"modified":"2017-10-18T11:40:06","modified_gmt":"2017-10-18T10:40:06","slug":"new-permissions-in-sql-server-2014-and-the-old-control-server","status":"publish","type":"post","link":"https:\/\/andreas-wolter.com\/en\/new-permissions-in-sql-server-2014-and-the-old-control-server\/","title":{"rendered":"New Permissions in SQL Server 2014: IMPERSONATE ANY LOGIN, SELECT ALL USER SECURABLES, CONNECT ANY DATABASE and the old CONTROL SERVER"},"content":{"rendered":"\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_heading-ebff2e1643d7b84bab0e05c3053bc1cb\">\n#top .av-special-heading.av-av_heading-ebff2e1643d7b84bab0e05c3053bc1cb{\npadding-bottom:10px;\n}\nbody .av-special-heading.av-av_heading-ebff2e1643d7b84bab0e05c3053bc1cb .av-special-heading-tag .heading-char{\nfont-size:25px;\n}\n.av-special-heading.av-av_heading-ebff2e1643d7b84bab0e05c3053bc1cb .av-subheading{\nfont-size:15px;\n}\n<\/style>\n<div  class='av-special-heading av-av_heading-ebff2e1643d7b84bab0e05c3053bc1cb av-special-heading-h3 blockquote modern-quote  avia-builder-el-0  el_before_av_textblock  avia-builder-el-first '><h3 class='av-special-heading-tag'  itemprop=\"headline\"  >New Permissions in SQL Server 2014.<\/h3><div class='av-subheading av-subheading_below'><p>IMPERSONATE ANY LOGIN, SELECT ALL USER SECURABLES, CONNECT ANY DATABASE and the old CONTROL SERVER<\/p>\n<\/div><div class=\"special-heading-border\"><div class=\"special-heading-inner-border\"><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>SQL Server 2014 brings altogether 5 new permissions. Two of those are on database level and only available in the Windows Azure SQL Database Edition \u2013 not in the box-version. <!--more-->(Thanks <a href=\"http:\/\/www.sommarskog.se\/\" target=\"_blank\" rel=\"noopener\">Erland Sommarskog<\/a> for confirming this and pointing me to the quite hidden note in the documentation: <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms178569%28v=sql.120%29.aspx\" target=\"_blank\" rel=\"noopener\">GRANT Database Permissions<\/a>)<br \/>\nThe new permissions are as follows:<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><table>\n<tbody>\n<tr>\n<td width=\"85\"><strong>Class Desc.<\/strong><\/td>\n<td width=\"237\"><strong>Permission Name<\/strong><\/td>\n<td width=\"51\"><strong>Type<\/strong><\/td>\n<td width=\"245\"><strong>Parent Covering Permission Name<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"85\">DATABASE<\/td>\n<td width=\"237\">ALTER ANY DATABASE EVENT SESSION<\/td>\n<td width=\"51\">AADS<\/td>\n<td width=\"245\">ALTER ANY EVENT SESSION<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">DATABASE<\/td>\n<td width=\"237\">KILL DATABASE CONNECTION<\/td>\n<td width=\"51\">KIDC<\/td>\n<td width=\"245\">ALTER ANY CONNECTION<\/td>\n<\/tr>\n<tr>\n<td width=\"85\">SERVER<\/td>\n<td width=\"237\">CONNECT ANY DATABASE<\/td>\n<td width=\"51\">CADB<\/td>\n<td width=\"245\"><\/td>\n<\/tr>\n<tr>\n<td width=\"85\">SERVER<\/td>\n<td width=\"237\">IMPERSONATE ANY LOGIN<\/td>\n<td width=\"51\">IAL<\/td>\n<td width=\"245\"><\/td>\n<\/tr>\n<tr>\n<td width=\"85\">SERVER<\/td>\n<td width=\"237\">SELECT ALL USER SECURABLES<\/td>\n<td width=\"51\">SUS<\/td>\n<td width=\"245\"><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>So, what for and how can we use those permissions on Server level?<\/p>\n<p><strong>IMPERSONATE ANY LOGIN<\/strong><\/p>\n<p>Do you remember the problem with <strong><em>CONTROL SERVER<\/em><\/strong>? The biggest flaw of this permission was, that this permission also <strong>allowed Impersonation of any account, including privilege elevation to any sysadmin<\/strong>. I have documented this and other problems with <em>CONTROL SERVER<\/em> in detail here:<\/p>\n<p><a href=\"http:\/\/www.insidesql.org\/blogs\/andreaswolter\/2013\/08\/control-server-vs-sysadmin-sa-permissions-privilege-escalation-caveats\" target=\"_blank\" rel=\"noopener\"><strong>CONTROL SERVER vs. sysadmin\/sa: permissions, system procedures, DBCC, automatic schema creation and privilege escalation &#8211; caveats<\/strong><\/a><\/p>\n<p>Now in SQL Server 2014, by introducing the permission <strong><em>IMPERSONATE ANY LOGIN<\/em><\/strong>, gives us ammunition to tackle this problem.<\/p>\n<ul>\n<li>This Permission permits to impersonate any Login <u>and User<\/u>(!).<\/li>\n<\/ul>\n<p>If we <strong><em>DENY<\/em><\/strong> this to the Principal with <em>CONTROL SERVER<\/em> permission, it prevents him from impersonating any Login <u>directly<\/u>. (Why do I say \u201cdirectly\u201d? \u2013 We\u2019ll see a bit further down.)<\/p>\n<p>So let\u2019s see <strong>how to prevent a Login with CONTROL SERVER from elevating privileges by impersonating another login <\/strong>with help of the new permission:<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_image-ab598f124f7311b55a40d8e738f9f528\">\n.avia-image-container.av-av_image-ab598f124f7311b55a40d8e738f9f528 img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-av_image-ab598f124f7311b55a40d8e738f9f528 .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-av_image-ab598f124f7311b55a40d8e738f9f528 av-styling- avia-align-center  avia-builder-el-4  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3328 avia-img-lazy-loading-not-3328 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Permission_code_screenshot.png\" alt='' title='Permission_code_screenshot'  height=\"847\" width=\"611\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Permission_code_screenshot.png 611w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Permission_code_screenshot-600x832.png 600w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Permission_code_screenshot-216x300.png 216w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Permission_code_screenshot-509x705.png 509w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Permission_code_screenshot-450x624.png 450w\" sizes=\"(max-width: 611px) 100vw, 611px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>Hooray!(?)<\/p>\n<p><strong>Privilege-Escalation<\/strong>-risc:<\/p>\n<p>Really? Still? Of course.<\/p>\n<p>Still we are running under the context of <em>DBA_TheDude:<\/em><\/p>\n<p><a href=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Use_master_code_screenshot.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-3329 size-full\" src=\"http:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Use_master_code_screenshot.png\" alt=\"\" width=\"525\" height=\"202\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Use_master_code_screenshot.png 525w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Use_master_code_screenshot-300x115.png 300w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/Use_master_code_screenshot-450x173.png 450w\" sizes=\"auto, (max-width: 525px) 100vw, 525px\" \/><\/a><\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>We cannot <strong><em>Impersonate<\/em><\/strong> the \u201cUtilizeMe\u201d Login, but we can just <strong><em>Log On<\/em><\/strong> using his password!<\/p>\n<ul>\n<li>Another reason to not use SQL authentication by the way, as he would then need to find a valid Windows-Login\u2019s Credentials \u2013 much harder to just creating his own backdoor-account.<\/li>\n<\/ul>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_image-326ab41431a9dae557af615f58cd294a\">\n.avia-image-container.av-av_image-326ab41431a9dae557af615f58cd294a img.avia_image{\nbox-shadow:none;\n}\n.avia-image-container.av-av_image-326ab41431a9dae557af615f58cd294a .av-image-caption-overlay-center{\ncolor:#ffffff;\n}\n<\/style>\n<div  class='avia-image-container av-av_image-326ab41431a9dae557af615f58cd294a av-styling- avia-align-center  avia-builder-el-7  el_after_av_textblock  el_before_av_textblock '   itemprop=\"image\" itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/ImageObject\" ><div class=\"avia-image-container-inner\"><div class=\"avia-image-overlay-wrap\"><img decoding=\"async\" class='wp-image-3324 avia-img-lazy-loading-not-3324 avia_image ' src=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1404_SQL_Server_2014_Logon_Screen_SQL_Authentication.png\" alt='' title='1404_SQL_Server_2014_Logon_Screen_SQL_Authentication'  height=\"320\" width=\"420\"  itemprop=\"thumbnailUrl\" srcset=\"https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1404_SQL_Server_2014_Logon_Screen_SQL_Authentication.png 420w, https:\/\/andreas-wolter.com\/wp-content\/uploads\/2017\/10\/1404_SQL_Server_2014_Logon_Screen_SQL_Authentication-300x229.png 300w\" sizes=\"(max-width: 420px) 100vw, 420px\" \/><\/div><\/div><\/div>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p>So in order to further prevent our Administrator from elevating privileges to sysadmin, we also need to work with <strong>DENY ALTER <u>ANY<\/u> LOGIN<\/strong> and <strong>ALTER <u>ANY<\/u> SERVER ROLE<\/strong>.<\/p>\n<p>Can we THEN finally use <em>CONTROL SERVER<\/em> <strong>completely safely<\/strong>?<\/p>\n<p style=\"text-align: center;\"><span style=\"color: #ff0000;\"><strong>NO!<\/strong><\/span><\/p>\n<p>In fact there are a few other things one can do to elevate permissions from a CONTROL SERVER-permitted account. More tricky in a way, but an attacker with some good knowledge about SQL Server (note, I am not saying \u201crocket-scientist\u201d) will be able to do that.<\/p>\n<p>I am aware that the \u201cSeparation of Duties in SQL Server 2014\u201d-Whitepaper (Contained in the <a href=\"http:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=39269\" target=\"_blank\" rel=\"noopener\">Microsoft\u00ae SQL Server\u00ae 2014 Product Guide<\/a>) does in fact list the combination of GRANT CONTROL SERVER + DENY IMPERSONATE ANY LOGIN as a best practice, but yet\u2026<\/p>\n<p>So do I recommend using it in any way?<\/p>\n<p>That is a hard question for me personally, as I would like to see much less people using\/granting sa\/sysadmin for daily tasks, and this permission had the potential to make an end to it.<\/p>\n<p>Unfortunately it is far from perfect, and in security-terms, anything not flawless, is a risk.<\/p>\n<p>But in terms of getting people away from using the highest privileges from the very beginning, I do see it as a step, since many may just not have the time and skills to break out of it.<\/p>\n<p>I do recommend using it in combination with some solid Auditing and alerts in place. So anyone using this instead sa\/sysasdmin still gets applause, as it shows you care and dare to limit permissions.<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><strong>SELECT ALL USER SECURABLES<\/strong><\/p>\n<p>This permission can be used for preventing a highly privileged Principal that may be troubleshooting\/analyzing the server from reading any user data. &#8211; Do not forget to also deny EXECUTE in all User databases though, otherwise he can just execute the stored procedures (if any exist) to get to the data. Also this is not bullet-proof as we already know from CONTROL SERVER and it\u2019s restrictions.<\/p>\n<p>What\u2019s more safe, is the use for an Auditor that needs to read ALL data, but not change it &#8211; without the effort of creating users and permissions in all user databases.<\/p>\n<p><strong>CONNECT ANY DATABASE<\/strong><\/p>\n<p>This permission can be used quite well for having logins that can basically connect to any database and for example do code reviews &#8211; by combining it with the VIEW ANY DEFINITION permission. I do think this is actually of quite some use for many scenarios.<\/p>\n<\/div><\/section>\r\n\r\n<section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><p><br class=\"\u201cclear\u201c\" \/>Happy \u201cServer controlling\u201d,<\/p>\n<p><br class=\"\u201cclear\u201c\" \/>Andreas<\/p>\n<\/div><\/section>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_one_full-97c650ae075063b375f558a776c570f8\">\n#top .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n.flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nborder-radius:0px 0px 0px 0px;\npadding:0px 0px 0px 0px;\n}\n.responsive #top #wrap_all .flex_column.av-av_one_full-97c650ae075063b375f558a776c570f8{\nmargin-top:40px;\nmargin-bottom:40px;\n}\n<\/style>\n<div  class='flex_column av-av_one_full-97c650ae075063b375f558a776c570f8 av_one_full  avia-builder-el-11  el_after_av_textblock  el_before_av_hr  first flex_column_div av-zero-column-padding  column-top-margin'     ><section  class='av_textblock_section av-av_textblock-2de302bf1aa3cf4c9157dbe6f50ac7eb '   itemscope=\"itemscope\" itemtype=\"https:\/\/schema.org\/BlogPosting\" itemprop=\"blogPost\" ><div class='avia_textblock'  itemprop=\"text\" ><div><\/div>\n<div><\/div>\n<\/div><\/section><\/div>\r\n\r\n<div  class='hr av-av_hr-0ff602b3e980a3377077ff3c1c834df6 hr-default  avia-builder-el-13  el_after_av_one_full  el_before_av_social_share '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-social-sharing-box av-av_social_share-8644d330ffb238fff0cfa858c5295467 av-social-sharing-box-default  avia-builder-el-14  el_after_av_hr  el_before_av_hr  av-social-sharing-box-fullwidth'><div class=\"av-share-box\"><h5 class='av-share-link-description av-no-toc '>Share<\/h5><ul class=\"av-share-box-list noLightbox\"><li class='av-share-link av-social-link-facebook' ><a target=\"_blank\" aria-label=\"Share on Facebook\" href=\"https:\/\/www.facebook.com\/sharer.php?u=https:\/\/andreas-wolter.com\/en\/new-permissions-in-sql-server-2014-and-the-old-control-server\/&#038;t=New%20Permissions%20in%20SQL%20Server%202014%3A%20IMPERSONATE%20ANY%20LOGIN%2C%20SELECT%20ALL%20USER%20SECURABLES%2C%20CONNECT%20ANY%20DATABASE%20and%20the%20old%20CONTROL%20SERVER\" aria-hidden=\"false\" data-av_icon=\"\ue8f3\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Facebook\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Facebook<\/span><\/a><\/li><li class='av-share-link av-social-link-twitter' ><a target=\"_blank\" aria-label=\"Share on Twitter\" href=\"https:\/\/twitter.com\/share?text=New%20Permissions%20in%20SQL%20Server%202014%3A%20IMPERSONATE%20ANY%20LOGIN%2C%20SELECT%20ALL%20USER%20SECURABLES%2C%20CONNECT%20ANY%20DATABASE%20and%20the%20old%20CONTROL%20SERVER&#038;url=https:\/\/andreas-wolter.com\/en\/?p=3334\" aria-hidden=\"false\" data-av_icon=\"\ue8f1\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on Twitter\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on Twitter<\/span><\/a><\/li><li class='av-share-link av-social-link-linkedin' ><a target=\"_blank\" aria-label=\"Share on LinkedIn\" href=\"https:\/\/linkedin.com\/shareArticle?mini=true&#038;title=New%20Permissions%20in%20SQL%20Server%202014%3A%20IMPERSONATE%20ANY%20LOGIN%2C%20SELECT%20ALL%20USER%20SECURABLES%2C%20CONNECT%20ANY%20DATABASE%20and%20the%20old%20CONTROL%20SERVER&#038;url=https:\/\/andreas-wolter.com\/en\/new-permissions-in-sql-server-2014-and-the-old-control-server\/\" aria-hidden=\"false\" data-av_icon=\"\ue8fc\" data-av_iconfont=\"entypo-fontello\" title=\"\" data-avia-related-tooltip=\"Share on LinkedIn\" rel=\"noopener\"><span class='avia_hidden_link_text'>Share on LinkedIn<\/span><\/a><\/li><\/ul><\/div><\/div>\r\n\r\n\n<style type=\"text\/css\" data-created_by=\"avia_inline_auto\" id=\"style-css-av-av_hr-4474f20d2389e2e5ecf918a02da5132e\">\n#top .hr.hr-invisible.av-av_hr-4474f20d2389e2e5ecf918a02da5132e{\nheight:50px;\n}\n<\/style>\n<div  class='hr av-av_hr-4474f20d2389e2e5ecf918a02da5132e hr-invisible  avia-builder-el-15  el_after_av_social_share  el_before_av_comments_list '><span class='hr-inner '><span class=\"hr-inner-style\"><\/span><\/span><\/div>\r\n\r\n<div  class='av-buildercomment av-av_comments_list-88ce68e426f11248fa394058a3de040f  av-blog-meta-author-disabled av-blog-meta-html-info-disabled'><\/div>","protected":false},"excerpt":{"rendered":"SQL Server 2014 brings altogether 5 new permissions. Two of those are on database level and only available in the Windows Azure SQL Database Edition \u2013 not in the box-version.","protected":false},"author":4,"featured_media":3687,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[57,36],"tags":[225,226,27,174],"class_list":["post-3334","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security-en","category-sql-server-2014","tag-escalation-en","tag-privilege-en","tag-security-en","tag-sql-server-2014-en"],"_links":{"self":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3334","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/comments?post=3334"}],"version-history":[{"count":4,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3334\/revisions"}],"predecessor-version":[{"id":3750,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/posts\/3334\/revisions\/3750"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media\/3687"}],"wp:attachment":[{"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/media?parent=3334"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/categories?post=3334"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andreas-wolter.com\/en\/wp-json\/wp\/v2\/tags?post=3334"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}