xp_cmdshell - Error 997 from GetProxyAccount on line 604
From: Anthony (anonymous_at_discussions.microsoft.com)
Date: 11/26/03
- Next message: Sue Hoegemeier: "Re: what encryption is used in DTS"
- Previous message: anonymous_at_discussions.microsoft.com: "UNABLE TO CONNECT TO SHARE"
- Next in thread: Sue Hoegemeier: "Re: xp_cmdshell - Error 997 from GetProxyAccount on line 604"
- Reply: Sue Hoegemeier: "Re: xp_cmdshell - Error 997 from GetProxyAccount on line 604"
- Reply: Anthony: "RE: xp_cmdshell - Error 997 from GetProxyAccount on line 604"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Nov 2003 06:15:25 -0800
We try to execute xp_cmdshell from an non-sa SQL login ,
so we have to setup a domain proxy account for this
purpose, still when xp_cmdshell is executed, we got:
Error 997 from GetProxyAccount on line 604
We've done lots of tests, unless we put the service
account for MSSQLSERVER servcice as member of local Admin
group, then it works with NO problem
It seems that here is some contradiction to our basic
security principle, we tried to limit the no. of SQL login
with sa fixed server role ,therefore we only granted
explicit execution permission for xp_cmdshell to certain
SQL logins ; however, we have to put SQL service a/c into
local domain group, which may expose a higher risk to
buffer overrun vulnerabilty ...etc
Any comment..or same experience ?
- Next message: Sue Hoegemeier: "Re: what encryption is used in DTS"
- Previous message: anonymous_at_discussions.microsoft.com: "UNABLE TO CONNECT TO SHARE"
- Next in thread: Sue Hoegemeier: "Re: xp_cmdshell - Error 997 from GetProxyAccount on line 604"
- Reply: Sue Hoegemeier: "Re: xp_cmdshell - Error 997 from GetProxyAccount on line 604"
- Reply: Anthony: "RE: xp_cmdshell - Error 997 from GetProxyAccount on line 604"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
