Gaining access to a Windows 2003 Server through MSSQL diskadmin?

Posted on 2009-02-12
Last Modified: 2013-12-04
Hello all smart people!
I have a Windows 2003 Server running MS SQL 2005. To this machine there is an MS SQL account which has the diskadmin rights. I was now wondering, if there is any way to gain access to this machine through this account? Is this a security risk?
Ofcourse this user can list file on the local disk, but can he/she for example create a  new user on the local machine?
I guess it is the AD that controls user access, but this information need to be written to the filesystem at some moment.

Please let me know if you need any further info.
Thanks in advance.
Question by:jide85
    LVL 38

    Expert Comment

    by:Jim P.
    Assuming that this is a SQL user id and not a domain ID

    It has the ALTER RESOURCES -- the best explanation I can find for it is:

    The diskadmin fixed server role basically has the ability to add and remove backup devices. The list of rights is rather short:

        * Add member to diskadmin
        * DISK INIT
        * sp_addumpdevice
        * sp_diskdefault
        * sp_dropdevice

    Two of these rights, DISK INIT and sp_diskdefault, are deprecated in SQL Server 2000. Books Online states support is limited in SQL Server 2000 and to consider replacing references to DISK INIT with CREATE DATABASE or ALTER DATABASE. The stored procedure sp_diskdefault has much stronger language: Removed; no longer available. Remove all references to sp_diskdefault.

    Removing DISK INIT and sp_diskdefault, only sp_addumpdevice and sp_dropdevice remain. The diskadmin role can create and delete devices for database backups. However, unless a user receives permissions the database level, the user with diskadmin role rights has no permissions to backup a database by default.


    Permissions of Fixed Server Roles:
    LVL 1

    Author Comment

    Hello jimpen.
    So what you are saying is that the SQL user with diskadmin rights can in no way alter the information on the local disks. He/she has only rights to create/delete devices for backup.

    Though there is a command which returns the content of a disk:
    master..xp_cmdshell 'DIR D:\DBBackup\'
    There is no similar command to remove a file?
    Best regards
    LVL 38

    Accepted Solution

    >> master..xp_cmdshell 'DIR D:\DBBackup\'

    The xp_cmdshell is a separate right. If you can do an action at a DOS prompt (DIR/DEL/REName/COPY/XCOPY/...) you can do it with the xp_cmdshell. But the rights to that are not granted by the diskadmin server role. (Example in the code snippet.)

    Now whoever has rights to the xp_cmdshell is limited to the same folders/functions as the SQL Server Agent that runs the SQL Services on your server. (See the Log On As column in your Services applet). If the userid is a local admin -- they can access any folder on the server. But if the user is limited to the SQL Server hive(s) (x:\Program Files\Microsoft SQL Server\MSSQL.#) and any other folders that the Adent has been granted rights to.
    select SYSTEM_USER
    exec xp_cmdshell 'dir c:\*.txt'
    (1 row(s) affected)
    Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1
    The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

    Open in new window

    LVL 38

    Expert Comment

    by:Jim P.
    Glad to be of assistance. May all your days get brighter and brighter.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now