July 7, 2010 at 10:46 am
I have some developers that are using xp_cmdshell and to get it to work I had to grant administer bulk operations for a network group. What does this allow the network groups to do, can they administer or change something? I also had to grant execute on xp_cmdshell which when locking down SQL Server 2005 sounds like a security hole (comments??) I also had to use sp_xp_cmdshell_proxy_account and configure an account which I set to SQL Server service account but as of now this is a permanent proxy account, should the account be temporary and then remove the proxy account after use in the stored procedure? The example below is from Tibor Karaszi.
i.e.
EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT
--Cleanup
EXEC sp_xp_cmdshell_proxy_account null
Thanks for the help!!!
July 7, 2010 at 7:56 pm
shoffman-569213 (7/7/2010)
I have some developers that are using xp_cmdshell and to get it to work I had to grant administer bulk operations for a network group. What does this allow the network groups to do, can they administer or change something? I also had to grant execute on xp_cmdshell which when locking down SQL Server 2005 sounds like a security hole (comments??) I also had to use sp_xp_cmdshell_proxy_account and configure an account which I set to SQL Server service account but as of now this is a permanent proxy account, should the account be temporary and then remove the proxy account after use in the stored procedure? The example below is from Tibor Karaszi.i.e.
EXEC sp_xp_cmdshell_proxy_account 'Domain\WinAccount','pwd'
EXECUTE AS login = 'JohnDoe'
--Execution of xp_cmdshell is allowed.
--And executes successfully!!!
EXEC xp_cmdshell 'DIR C:\*.*'
REVERT
--Cleanup
EXEC sp_xp_cmdshell_proxy_account null
Thanks for the help!!!
What is it that they're actually trying to do using xp_CmdShell? And, yep... it matters.
--Jeff Moden
Change is inevitable... Change for the better is not.
July 8, 2010 at 12:37 pm
The developers are using xp_cmdshell and the OS dir command to verify that the file path and file exists before loading the contents and doing further processing. Using a file is not the best way but the IS manager says for now to use the existing file rather than bring the contents into a table so we have to interact with the file.
July 8, 2010 at 2:58 pm
Thanks I will look into the xp_fileexist
For educational purposes can you give me a rough outline of how to safely give access to xp_cmdshell and bulk administer rights as well as how to handle the proxy account?
Thanks!
July 9, 2010 at 3:45 pm
shoffman-569213 (7/8/2010)
The developers are using xp_cmdshell and the OS dir command to verify that the file path and file exists before loading the contents and doing further processing. Using a file is not the best way but the IS manager says for now to use the existing file rather than bring the contents into a table so we have to interact with the file.
It's easy, then. Try this and see the multiple possibilitites without the need for xp_cmdshell... and, yes... it will also accept an UNC that the server login can see. Hopefully your SQL Server login has the necessary privs...
EXEC Master.dbo.xp_DirTree 'C:\',1,1
--Jeff Moden
Change is inevitable... Change for the better is not.
July 14, 2010 at 1:39 pm
Thanks for the responses and your help, I greatly appreciate it!!
July 19, 2010 at 4:41 am
For educational purposes can you give me a rough outline of how to safely give access to xp_cmdshell and bulk administer rights as well as how to handle the proxy account?
The FineBuild Reference document has details on best practices when creating a xp_cmdshell proxy account. This covers the security considerations, and how the xp_cmdshell proxy relates to SQL Agent job proxies.
The ultimate best practice is where ever possible use lower-risk alternatives to xp_cmdshell, such as the the examples given by Jeff and sturner.
Original author: https://github.com/SQL-FineBuild/Common/wiki/ 1-click install and best practice configuration of SQL Server 2019, 2017 2016, 2014, 2012, 2008 R2, 2008 and 2005.
When I give food to the poor they call me a saint. When I ask why they are poor they call me a communist - Archbishop Hélder Câmara
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply