Risk of using non-impersonated connections

Depending on the configuration of the SQL Server, a user with PI AF administrator privileges could create attacks on the SQL Server and take full control of the system if these following conditions exist:

• A PI AF table is configured to use the PI AF server identity for linking to an external database.

• Non-impersonated linked (external) tables are enabled on the PI AF server.

  By default, non-impersonated linked tables are disabled on the PI AF server. In order for a user to execute an attack, that user would need to enable non-impersonated external tables.

• The PI AF server account has administrative rights on a SQL Server.

  By default, the PI AF server runs under a virtual account, NT SERVICE\AFService, and does not have administrative rights to the locally-configured SQL Server or access to remote computer databases. Without administrator rights to the remote database, the possibility for elevation of privilege attacks is limited.

  Caution: For security reasons, do not grant the PI AF server administrative privileges on the computer or SQL Server when running with non-impersonated queries.