Re: Issues with revoking rights to run xp_fileexist?

From: Peter Yang [MSFT] (petery_at_online.microsoft.com)
Date: 07/16/03

  • Next message: Carlos Eduardo Rojas: "Re: C2 auditing" 
    Date: Wed, 16 Jul 2003 03:30:02 GMT

    Hello Peter,

    I have performed some further research on the issue. Since the proc
    xp_fileexist is an *undocumented* system procedure and we do not recommend
    making any changes even changing permissions to this since it may cause
    problems if there is any change made in a service pack or something.
    Generally we don't recommend making any changes to system objects.

    If you have further concerns on the issue, please feel free to post back.

    Thanks & Regards,

    Peter Yang
    MCSE2000, MCSA, MCDBA
    Microsoft Partner Online Support

    Get Secure! - www.microsoft.com/security

    =====================================================
    When responding to posts, please "Reply to Group" via
    your newsreader so that others may learn and benefit
    from your issue.
    =====================================================
    This posting is provided "AS IS" with no warranties, and confers no rights.

    --------------------
    | From: Peter A. Schott <pschott@drivefinancial.com>
    | Subject: Re: Issues with revoking rights to run xp_fileexist?
    | Date: Tue, 15 Jul 2003 06:47:07 -0500
    | Message-ID: <u8q7hvcsbomceulkomb6qlnc8vmc1k016c@4ax.com>
    | References: <0f76hv4pj4dqsuede7dbv7aog5bmr0an3v@4ax.com>
    <LJ1zXDqSDHA.2284@cpmsftngxa06.phx.gbl>
    <Q99fJfrSDHA.2344@cpmsftngxa06.phx.gbl>
    | X-Newsreader: Forte Agent 1.93/32.576 English (American)
    | MIME-Version: 1.0
    | Content-Type: text/plain; charset=us-ascii
    | Content-Transfer-Encoding: 7bit
    | Newsgroups: microsoft.public.sqlserver.security
    | NNTP-Posting-Host: adsl-67-66-181-210.dsl.rcsntx.swbell.net 67.66.181.210
    | Lines: 1
    | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP12.phx.gbl
    | Xref: cpmsftngxa06.phx.gbl microsoft.public.sqlserver.security:14518
    | X-Tomcat-NG: microsoft.public.sqlserver.security
    |
    | That is more of what I'm looking for, but my question is really more
    along the
    | lines of what users/roles might need permissions to run this proc just
    for the
    | default tools that come with MSSQL? I know that we don't use this proc
    in any
    | of our in-house code and I don't think we have to worry about it in the
    | products we've bought, but I want to ensure that removing permissions
    won't
    | break anything built-in to MSSQL Server.
    |
    | Thanks for your time,
    |
    | -Peter Schott
    |
    | petery@online.microsoft.com (Peter Yang [MSFT]) wrote:
    |
    | > Hello Peter,
    | >
    | > After reviewing your post again it seems that you have conerns about
    revoke
    | > excute right from some users and roles on xp_fileexist procedure. If
    so, I
    | > think there is no
    | > caveats to do this. If the proper user or role that need to run the
    | > procedure has the excute permission there should be no problem.
    | >
    | > If you have further questions on the issue, please let me know.
    | >
    | > Thanks & Regards,
    | >
    | > Peter Yang
    | > MCSE2000, MCSA, MCDBA
    | > Microsoft Partner Online Support
    | >
    | > Get Secure! - www.microsoft.com/security
    | >
    | > =====================================================
    | > When responding to posts, please "Reply to Group" via
    | > your newsreader so that others may learn and benefit
    | > from your issue.
    | > =====================================================
    | > This posting is provided "AS IS" with no warranties, and confers no
    rights.
    | >
    | >
    | > --------------------
    | > | Newsgroups: microsoft.public.sqlserver.security
    | > | From: petery@online.microsoft.com (Peter Yang [MSFT])
    | > | Organization: Microsoft
    | > | Date: Tue, 15 Jul 2003 07:15:08 GMT
    | > | Subject: RE: Issues with revoking rights to run xp_fileexist?
    | > | X-Tomcat-NG: microsoft.public.sqlserver.security
    | > | MIME-Version: 1.0
    | > | Content-Type: text/plain
    | > | Content-Transfer-Encoding: 7bit
    | > |
    | > | Hello Peter,
    | > |
    | > | Thank you for your posting.
    | > |
    | > | If I understand this correctly, you would like to limit permssions to
    | > some
    | > | stored procdures so that only authorized users can run them.
    | > |
    | > | You can change this permission in Enterprise Manager or by running
    some
    | > | commands in query analyzier.
    | > |
    | > | In Enterprise Manager, you can cofigure "Execute" permissions of
    stored
    | > | procedures for users and roles in your database.
    | > |
    | > | Also, you can use the following command:
    | > |
    | > | Revoke Execute on <store procedure name> from <user or role name>
    | > |
    | > | For example: Revoke Execute on foobar from public
    | > |
    | > | If you have further questions on the issue, please feel free to post
    | > back.
    | > |
    | > | Thanks & Regards,
    | > |
    | > | Peter Yang
    | > | MCSE2000, MCSA, MCDBA
    | > | Microsoft Partner Online Support
    | > |
    | > | Get Secure! - www.microsoft.com/security
    | > |
    | > | =====================================================
    | > | When responding to posts, please "Reply to Group" via
    | > | your newsreader so that others may learn and benefit
    | > | from your issue.
    | > | =====================================================
    | > | This posting is provided "AS IS" with no warranties, and confers no
    | > rights.
    | > |
    | > |
    | > | --------------------
    | > | | From: Peter A. Schott <pschott@drivefinancial.com>
    | > | | Subject: Issues with revoking rights to run xp_fileexist?
    | > | | Date: Mon, 14 Jul 2003 16:18:38 -0500
    | > | | Message-ID: <0f76hv4pj4dqsuede7dbv7aog5bmr0an3v@4ax.com>
    | > | | X-Newsreader: Forte Agent 1.93/32.576 English (American)
    | > | | MIME-Version: 1.0
    | > | | Content-Type: text/plain; charset=us-ascii
    | > | | Content-Transfer-Encoding: 7bit
    | > | | Newsgroups: microsoft.public.sqlserver.security
    | > | | NNTP-Posting-Host: drivefinancial.com 65.105.152.62
    | > | | Lines: 1
    | > | | Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
    | > | | Xref: cpmsftngxa06.phx.gbl microsoft.public.sqlserver.security:14506
    | > | | X-Tomcat-NG: microsoft.public.sqlserver.security
    | > | |
    | > | | While I don't see any issues with this off the top of my head, I'd
    like
    | > to
    | > | | limit access to this proc so that public can't run it - only
    SysAdmins
    | > or
    | > | | higher-level users (as needed).
    | > | |
    | > | | Are there any caveats to limiting access to this proc?
    | > | |
    | > | | Thanks in advance.
    | > | |
    | > | | -Peter Schott
    | > | |
    | > |
    |
    |

  • Next message: Carlos Eduardo Rojas: "Re: C2 auditing"

    Relevant Pages

    • Re: Thinking outside the box on file systems
      ... pattern against the filename, because it *could* match. ... peter '*b*' cannot create ... Create a list of patterns that correctly express the ownership ... and permissions of *every* file on your current Linux box. ...
      (Linux-Kernel)
    • Re: Functions and parameters in DLL
      ... This posting is provided "AS IS" with no warranties, and confers no rights. ... "Peter B" wrote in message ...
      (microsoft.public.dotnet.framework.compactframework)
    • Re: Problems with Microsoft SAP adapter for BizTalk 2004
      ... You should be able to use a map to create the missing elements. ... This posting is provided "AS IS" with no warranties, and confers no rights. ... "Peter Timkó" wrote in message ... >>> I've attached the schema, ...
      (microsoft.public.biztalk.general)
    • Re: Thinking outside the box on file systems
      ... peter '*b*' cannot create ... and the permissions of the users. ... Create a list of patterns that correctly express the ... a filename, and the operation (read, write, open, ...
      (Linux-Kernel)
    • Re: Security problem.
      ... > Hi Peter, ... You should try out the code to display all the loaded assemblies, ... If this is your main VSTO assembly, ... VSTO only really sets up permissions for the main assembly; ...
      (microsoft.public.vsnet.vstools.office)
    • Quantcast