Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

protect users from using xp_cmdshell

Status
Not open for further replies.
masds

masds

Technical User
Mar 3, 2005
100
CA

How to protect xp_cmdshell from being executed by a user, say the user running the SQL Server serive.
 
Sort by date Sort by votes
By default, only System administrators should have rights to run xp_cmdshell.

You can however, go to xp_cmdshell in the extended stored procedures section of the master database and explicitly "DENY" rights to a specifiy user.

Is the registered server for that individual connected with a user that has Admin rights?

 
Upvote 0 Downvote
If I user logs in with the SQL Server service account they will have sysadmin rights, and will be able to run xp_cmdshell. The only way to remove the ability for sysadmins to run xp_cmdshell would be to remove it from the database.

However any sysadmin can put it back in.

Denny
MCSA (2003) / MCDBA (SQL 2000)

--Anything is possible. All it takes is a little research. (Me)

[noevil]
(My very old site)
 
Upvote 0 Downvote

denny said:
If I user logs in with the SQL Server service account they will have sysadmin rights
Click to expand...

So the user who runs the SQL Server service must have sysadmin fied server role? In my server I set this user doesn't have sysadmin role, is there any problem with this setting?
 
Upvote 0 Downvote
What Denny is saying is the SQL Server service account or the SA account both have SysAdmin rights. If your user connects to SQL with either of these logins, he / she will be able to execute xp_cmdshell and will have SysAdmin rights.

You can make the user account a non-Sysadmin user account and as long as this user doesn't have the pwd to either of the above accounts, you'll be fine. If that user DOES have the pwd to either of the above account, I would advise changing that password and then checking all jobs, replication setups, and SQL Server to SQL Server connections to change the passwords there too.



Catadmin - MCDBA, MCSA
Beware the error of pre-emptive poultry inventory!
 
Upvote 0 Downvote

As a sysadmin to set up a job, I know the SQLAgent service run in account A, then create a job and change the owner of the job to account B, what level of the permission this job has? same as account A or account B?
 
Upvote 0 Downvote
Usually, the job has the permissions of the owner. In this case, account B. I'm sure there are exceptions, but I can't think of them off hand.



Catadmin - MCDBA, MCSA
Beware the error of pre-emptive poultry inventory!
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

baran121
  • Locked
  • Question
take a database from system databse place
Replies
2
Views
599
iambob
iambob
RRinTetons
  • Locked
  • Question
Logging into a database using SSMS from non-domain machine
Replies
1
Views
594
fredericofonseca
fredericofonseca
tekpr00
  • Locked
  • Question
Backups in a multiserver environment while using Central Management Server and Server Groups
Replies
0
Views
303
tekpr00
tekpr00
intel233
  • Locked
  • Question
Backup/Restore DB from SQL issues
Replies
2
Views
317
intel233
intel233
mrmovie
  • Locked
  • Question
ODBC connection, or other from Linus system using AD account details 2
Replies
2
Views
322
mrmovie
mrmovie

Part and Inventory Search

Sponsor

Back
Top