Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security issue with DTSRUN and SQL Server Agent. 1

Status
Not open for further replies.
gradley

gradley

Programmer
Feb 24, 2004
335
US
I am trying to execute a DTSRUN command from SQL Server Agent for a user that does not have sysadmin rights. Here is the message I receive when I view the job history for this job:

"Non-SysAdmins have been denied permission to run CmdExec job steps. The step failed."

I've heard that Cross-database ownership chaining can be used to address this issue but I'm not sure how to implement this logic, or how vunerable it makes your server.

Any help would be appreciated.

Thank you

Gordon Radley

 
Sort by date Sort by votes
Thanks mrdenny!

This was a big help. It took me awhile to realize that in SQL Server 2000, SQLAgentCmdExec is a user (service) account that is not visible anywhere in Windows and that any user account name (other than SQLAgentCmdExec) will work fine for the proxy service.

I have added this user to the administrators group but denied logon locally. I don't believe i've compromised the security in any way.

Thanks again.

 
Upvote 0 Downvote
I'd restrict the access to the account your using for the proxy. With the account having admin rights to the OS now any user can connect to the SQL Server and execute xp_CMDShell 'net localgroup Administrators username /add' and make them selves an admin on the server.

Denny

--Anything is possible. All it takes is a little research. (Me)
 
Upvote 0 Downvote
Thanks for the heads-up.

It looks like i'm unable to execute xp_cmdshell "EXECUTE permission denied" unless I connect as a system administrator account remotely (through Query Analyzer or otherwise). Because I have denied local logon to the proxy account and have not specifically given this new account acces to SQL server (other than through the BUILTIN\Administrators), I don't see how someone can connect and use this xp_cmdshell procedure.

Please let me know if i'm overlooking something here.

thanks again.
 
Upvote 0 Downvote
I'm just working on the side of caution. In case someone changes the local logon permission.

Denny

--Anything is possible. All it takes is a little research. (Me)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

grnzbra
  • Locked
  • Question
SQL Server in Windows
Replies
1
Views
473
pjw001
pjw001
CodeWell
  • Locked
  • Question
SQL Server 2017 Install Issue - Database Not in Configuration Manager
Replies
0
Views
410
CodeWell
CodeWell
bethabernathy
  • Locked
  • Question
Front End Access 365 Database dsn Connection Fails when attempting to link to 2016 SQL server
Replies
1
Views
330
dhookom
dhookom
Ikatiemarie
  • Locked
  • Question
SQL Server 2008 SP_Send_dbmail
Replies
0
Views
968
Ikatiemarie
Ikatiemarie
dgillz
  • Locked
  • Question
SQL View not available to Excel Power Query
Replies
1
Views
329
dgillz
dgillz

Part and Inventory Search

Sponsor

Back
Top