We help IT Professionals succeed at work.

Gaining access to a Windows 2003 Server through MSSQL diskadmin?

Medium Priority
720 Views
Last Modified: 2013-12-04
Hello all smart people!
I have a Windows 2003 Server running MS SQL 2005. To this machine there is an MS SQL account which has the diskadmin rights. I was now wondering, if there is any way to gain access to this machine through this account? Is this a security risk?
Ofcourse this user can list file on the local disk, but can he/she for example create a  new user on the local machine?
I guess it is the AD that controls user access, but this information need to be written to the filesystem at some moment.

Please let me know if you need any further info.
Thanks in advance.
Comment
Watch Question

Most Valuable Expert 2014

Commented:
Assuming that this is a SQL user id and not a domain ID

It has the ALTER RESOURCES -- the best explanation I can find for it is:

The diskadmin fixed server role basically has the ability to add and remove backup devices. The list of rights is rather short:

    * Add member to diskadmin
    * DISK INIT
    * sp_addumpdevice
    * sp_diskdefault
    * sp_dropdevice

Two of these rights, DISK INIT and sp_diskdefault, are deprecated in SQL Server 2000. Books Online states support is limited in SQL Server 2000 and to consider replacing references to DISK INIT with CREATE DATABASE or ALTER DATABASE. The stored procedure sp_diskdefault has much stronger language: Removed; no longer available. Remove all references to sp_diskdefault.

Removing DISK INIT and sp_diskdefault, only sp_addumpdevice and sp_dropdevice remain. The diskadmin role can create and delete devices for database backups. However, unless a user receives permissions the database level, the user with diskadmin role rights has no permissions to backup a database by default.

http://www.sqlservercentral.com/articles/Administering/sqlserversecurityfixedroles/1163/

diskadmin: http://msdn.microsoft.com/en-us/library/ms175949(SQL.90).aspx

Permissions of Fixed Server Roles:
http://msdn.microsoft.com/en-us/library/ms175892(SQL.90).aspx

Author

Commented:
Hello jimpen.
So what you are saying is that the SQL user with diskadmin rights can in no way alter the information on the local disks. He/she has only rights to create/delete devices for backup.

Though there is a command which returns the content of a disk:
master..xp_cmdshell 'DIR D:\DBBackup\'
There is no similar command to remove a file?
Best regards
/jide
Most Valuable Expert 2014
Commented:
>> master..xp_cmdshell 'DIR D:\DBBackup\'

The xp_cmdshell is a separate right. If you can do an action at a DOS prompt (DIR/DEL/REName/COPY/XCOPY/...) you can do it with the xp_cmdshell. But the rights to that are not granted by the diskadmin server role. (Example in the code snippet.)

Now whoever has rights to the xp_cmdshell is limited to the same folders/functions as the SQL Server Agent that runs the SQL Services on your server. (See the Log On As column in your Services applet). If the userid is a local admin -- they can access any folder on the server. But if the user is limited to the SQL Server hive(s) (x:\Program Files\Microsoft SQL Server\MSSQL.#) and any other folders that the Adent has been granted rights to.
select SYSTEM_USER
 
exec xp_cmdshell 'dir c:\*.txt'
 
 
--------------------------------------------------------------------------------------------------------------------------------
diskAdmin_test
 
(1 row(s) affected)
 
Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

Open in new window

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Most Valuable Expert 2014

Commented:
Glad to be of assistance. May all your days get brighter and brighter.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.