Re: xp_cmdshell

From: AJAY R (dba_pune_at_hotmail.com)
Date: 07/09/03

• Next message: Stephen O'Sullivan: "Hardware Security Modules."
• Previous message: John Bell: "Re: connect a server through IP from stored procedures"
• In reply to: Dan Guzman: "Re: xp_cmdshell"
• Next in thread: Dan Guzman: "Re: xp_cmdshell"
• Reply: Dan Guzman: "Re: xp_cmdshell"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 9 Jul 2003 16:05:23 +0530

Thanks Dan
But my purpose is to hide xp_cmdhsell from any user .
Even if some intrusion happens in the db , the intruder should not be able
to see xp_cmdshell .
Is there any way to hide or rename or anything which will keep xp_cmdshell
present but in encapsulated form or with some other name.

Regards
Ajay Rengunthwar

"Dan Guzman" <danguzman@nospam-earthlink.net> wrote in message
news:uNnvxdURDHA.2676@TK2MSFTNGP10.phx.gbl...
> Only members of the sysadmin server role can execute xp_cmdshell by
> default. If your application requires xp_cmdshell functionality, you
> can create a dbo-owned proc in an sa-owned user database that
> encapsulates the xp_cmdshell commands. With this technique,
> non-sysadmin users need execute permissions on your user proc and ad-hoc
> xp_cmdshell commands can't be executed directly by non-sysadmin users.
> The OS security context for non-sysadmin users is limited to the SQL
> Agent Proxy account.
>
> It is important that you code the proc in such a way that only intended
> commands can be executed. Also, you'll need to enable cross-database
> chaining (introduced in SQL 2000 SP3) and should do so only if you fully
> trust members of the db_owner and db_ddladmin database roles.
>
> --
> Hope this helps.
>
> Dan Guzman
> SQL Server MVP
>
> -----------------------
> SQL FAQ links (courtesy Neil Pike):
>
> http://www.ntfaq.com/Articles/Index.cfm?DepartmentID=800
> http://www.sqlserverfaq.com
> http://www.mssqlserver.com/faq
> -----------------------
>
> "AJAY R" <dba_pune@hotmail.com> wrote in message
> news:uLANKERRDHA.304@tk2msftngp13.phx.gbl...
> > Hi
> > is it possible to restrict access to xp_cmdshell
> > my purpose is to hide the xp_cmdhsell from any user .
> > may be renaming xp_cmdshell .
> > OR is it ok to add the extended procedure whenever required .
> >
> > Regards
> > Ajay
> >
> >
>
>

---

• Next message: Stephen O'Sullivan: "Hardware Security Modules."
• Previous message: John Bell: "Re: connect a server through IP from stored procedures"
• In reply to: Dan Guzman: "Re: xp_cmdshell"
• Next in thread: Dan Guzman: "Re: xp_cmdshell"
• Reply: Dan Guzman: "Re: xp_cmdshell"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Retrieving Rows Affected Counts ... I would never let users enter SQL commands and just execute them ad hoc. ... Mgmt Studio is doing this. ... (microsoft.public.dotnet.framework.adonet) Re: Retrieving Rows Affected Counts ... I would use AdoNet or Linq to SQL. ... The commands are passed to a remote ... separate commands and execute them separately to use that method. ... (microsoft.public.dotnet.framework.adonet) Retrieving Rows Affected Counts ... I would like to pass the following commands to SQL 2005 using ADO.NET ... SQL Server instance, executed, and the results are returned via a web service. ... separate commands and execute them separately to use that method. ... (microsoft.public.dotnet.framework.adonet) Re: Sql File ... Need SQL Server Examples check out my website at ... > I have an SQL file with several SQL commands. ... > I want to execute this SQL File from Query Analiser without open it. ... (microsoft.public.sqlserver.programming) Re: SQL upsizing ... I agree with Dan, but make not mistake, if your application requires to use ... a SQL database MS, MySQL or ORACLE, then your programming habit must change. ... > Where are the 15 years worth of articles? ... (microsoft.public.fox.programmer.exchange)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)