Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security question about xp_cmdshell

Status
Not open for further replies.
djj55

djj55

Programmer
Feb 6, 2006
1,761
US
Hello, moving from 2000 to 2008 several of the stored procedures use xp_cmdshell, mainly to do bcp.

I found how to turn on the xp_cmdshell (BOL xp_cmdshell Option)

My question is the proxy created by sp_xp_cmdshell_proxy_account the only user able to use xp_cmdshell?

I saw thread962-911606 which talks about proxy, however it I assume is for 2000 as it is dated 2004.

Thank you,


djj
The Lord is My Shepard (Psalm 23) - I need someone to lead me!
 
Sort by date Sort by votes
When you create a proxy account any user who uses xp_cmdshell will be logged into the OS and will have the rights which are granted to the account which you set as the proxy account.

In other words if you assign the account MyDomain\SQLProxy as the proxy account then anyone who runs xp_cmdshell will have all the rights which are assigned to the MyDomain\SQLProxy account.

This would include the right to log back into the database using sqlcmd and run other SQL Commands.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Upvote 0 Downvote
Thank you, so no proxy account.

djj
The Lord is My Shepard (Psalm 23) - I need someone to lead me!
 
Upvote 0 Downvote
Not unless it is absolutely needed. And then the proxy account should only have the minimal rights needed to function.

xp_cmdshell is a huge security hole just waiting to be exploited.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Upvote 0 Downvote
Thanks.

I am trying to learn SSIS but am having trouble understanding the book I am using and I do not have a lot of time to study as I am trying to keep the 2000 code running.

I inherited a mess and have been working for two years trying not to break anything when I change/fix something. I know that sounds strange, you fix something and end up breaking something, but we have several dozen Access front ends. You fix one three break. Enough complaining.

Thank you for your comments.


djj
The Lord is My Shepard (Psalm 23) - I need someone to lead me!
 
Upvote 0 Downvote
SSIS is a large beast, but it is very powerful. It can take quite a while to get the hang of.

Denny
MVP
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / SQL 2005 BI / SQL 2008 DBA / SQL 2008 DBD / SQL 2008 BI / MWSS 3.0: Configuration / MOSS 2007: Configuration)
MCITP (SQL 2005 DBA / SQL 2008 DBA / SQL 2005 DBD / SQL 2008 DBD / SQL 2005 BI / SQL 2008 BI)

My Blog
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

dgillz
  • Locked
  • Question
SQL 2016 and SQL 2008 R2 Compatibility Question
Replies
1
Views
77
simian336
simian336
Skittle
  • Locked
  • Question
xp_cmdshell To Extract PDF's 1
Replies
2
Views
103
Skittle
Skittle
dvannoy
  • Locked
  • Question
DateDiff Question 1
Replies
2
Views
75
dvannoy
dvannoy
AndrewWiggins99
  • Locked
  • Question
SQL - Display Question
Replies
1
Views
76
djj55
djj55
djj55
  • Locked
  • Question
Log Shipping question
Replies
1
Views
67
djj55
djj55

Part and Inventory Search

Sponsor

Back
Top