Years ago, someone installed a third-party app. The installer would not run unless the account it used had full sysadmin rights on the SQL Server. The vendor’s install guide said so in plain text, often with a line about how it was required for the product to function. So the account got sysadmin. The app went in. It worked. Everyone moved on, and that grant sat there, untouched, for the rest of the server’s life.
The vendor asked for the keys to everything, you handed them over years ago, and nobody has checked since whether they still hold them.
Here is the part that gets missed. That app did not need god-rights to do its job. It needed them to install, maybe, and the vendor found it cheaper to ask for everything than to work out the least it actually required. So the running service account, the one wired into a product some third party wrote and you cannot see inside, can now read every database on that instance. It can drop any of them. It can create new logins and hand them the same power. The app’s data is a small corner of the server. Its access is the whole building.
I have seen some version of this many times. An app account with sysadmin, still live, still running, long after anyone remembered why. Sometimes the vendor stopped supporting that version. Sometimes the vendor no longer exists. The account does, and it has standing rights over your finance database, your customer records, everything else that happens to share the instance. Nobody granted that on purpose. It was a side effect of an install nobody revisited.
The dull truth is that the blast radius was never about the app. It was about everything the app could reach. If that service account is ever compromised, through the vendor, through a saved password, through the app’s own flaws, the attacker does not get the app. They get the server. The thing that was meant to manage one small system has quiet authority over data that has nothing to do with it. It is a problem sitting in plain sight, written into a permissions table, with nobody looking.
None of this needs a breach to be a problem. An auditor asking who can touch your financial data wants the sysadmin list and a reason for each name on it. “A vendor’s installer asked for it years ago” is not a reason that closes the finding. The fix is usually boring. Most of these apps run fine on far less once someone works out what they truly need, and the ones that genuinely cannot are at least documented, owned, and watched instead of forgotten.
We go looking for the standing god-rights nobody revisited, for free, read-only, in a 15-minute SQL Server health check that returns a graded, plain-English report. No changes to anything, no obligation, no sales chase you did not ask for. The vendor account with the keys to everything is one of the most common things we point at, and one of the most common surprises on the other side of the table.
Want to know if this is sitting in your estate? We run a read-only check and hand you a graded report in plain English.
Get your free health check