Are passwordless logins like ##MS_SQLResourceSigningCertificate## , ##MS_AgentSigningCertificate## a vulnerability?

Posted on

Question :

I’m new to MS SQL Server.

Colleagues working in IT security, have run an scan showing come DB users with null password.

Some of them are ( # included )

##MS_SQLResourceSigningCertificate##
##MS_SQLReplicationSigningCertificate##
##MS_SQLAuthenticatorCertificate##
##MS_PolicySigningCertificate##
##MS_SmoExtendedSigningCertificate##
##MS_AgentSigningCertificate##

I suspect they are not a security threat but, since they don’t use Windows Authentication either, I don’t know how to support that assumption.

What are these logins for ?

Answer :

These logins are created from a certificate. In fact, if you run the following query:

select 
    name,
    type_desc
from sys.server_principals
where type = 'c';

You will see that they are of type CERTIFICATE_MAPPED_LOGIN. They are used typically to sign code. And you cannot use a certificate mapped login to connect with SQL Server. Please see this BOL reference on CREATE LOGIN:

Logins created from certificates or asymmetric keys are used only for code signing. They cannot be used to connect to SQL Server.

Leave a Reply

Your email address will not be published. Required fields are marked *