?
Solved

Gaining access to a Windows 2003 Server through MSSQL diskadmin?

Posted on 2009-02-12
4
Medium Priority
?
650 Views
Last Modified: 2013-12-04
Hello all smart people!
I have a Windows 2003 Server running MS SQL 2005. To this machine there is an MS SQL account which has the diskadmin rights. I was now wondering, if there is any way to gain access to this machine through this account? Is this a security risk?
Ofcourse this user can list file on the local disk, but can he/she for example create a  new user on the local machine?
I guess it is the AD that controls user access, but this information need to be written to the filesystem at some moment.

Please let me know if you need any further info.
Thanks in advance.
0
Comment
Question by:jide85
  • 3
4 Comments
 
LVL 38

Expert Comment

by:Jim P.
ID: 23634398
Assuming that this is a SQL user id and not a domain ID

It has the ALTER RESOURCES -- the best explanation I can find for it is:

The diskadmin fixed server role basically has the ability to add and remove backup devices. The list of rights is rather short:

    * Add member to diskadmin
    * DISK INIT
    * sp_addumpdevice
    * sp_diskdefault
    * sp_dropdevice

Two of these rights, DISK INIT and sp_diskdefault, are deprecated in SQL Server 2000. Books Online states support is limited in SQL Server 2000 and to consider replacing references to DISK INIT with CREATE DATABASE or ALTER DATABASE. The stored procedure sp_diskdefault has much stronger language: Removed; no longer available. Remove all references to sp_diskdefault.

Removing DISK INIT and sp_diskdefault, only sp_addumpdevice and sp_dropdevice remain. The diskadmin role can create and delete devices for database backups. However, unless a user receives permissions the database level, the user with diskadmin role rights has no permissions to backup a database by default.

http://www.sqlservercentral.com/articles/Administering/sqlserversecurityfixedroles/1163/

diskadmin: http://msdn.microsoft.com/en-us/library/ms175949(SQL.90).aspx

Permissions of Fixed Server Roles:
http://msdn.microsoft.com/en-us/library/ms175892(SQL.90).aspx
0
 
LVL 1

Author Comment

by:jide85
ID: 23647888
Hello jimpen.
So what you are saying is that the SQL user with diskadmin rights can in no way alter the information on the local disks. He/she has only rights to create/delete devices for backup.

Though there is a command which returns the content of a disk:
master..xp_cmdshell 'DIR D:\DBBackup\'
There is no similar command to remove a file?
Best regards
/jide
0
 
LVL 38

Accepted Solution

by:
Jim P. earned 2000 total points
ID: 23659956
>> master..xp_cmdshell 'DIR D:\DBBackup\'

The xp_cmdshell is a separate right. If you can do an action at a DOS prompt (DIR/DEL/REName/COPY/XCOPY/...) you can do it with the xp_cmdshell. But the rights to that are not granted by the diskadmin server role. (Example in the code snippet.)

Now whoever has rights to the xp_cmdshell is limited to the same folders/functions as the SQL Server Agent that runs the SQL Services on your server. (See the Log On As column in your Services applet). If the userid is a local admin -- they can access any folder on the server. But if the user is limited to the SQL Server hive(s) (x:\Program Files\Microsoft SQL Server\MSSQL.#) and any other folders that the Adent has been granted rights to.
select SYSTEM_USER
 
exec xp_cmdshell 'dir c:\*.txt'
 
 
--------------------------------------------------------------------------------------------------------------------------------
diskAdmin_test
 
(1 row(s) affected)
 
Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

Open in new window

0
 
LVL 38

Expert Comment

by:Jim P.
ID: 23893366
Glad to be of assistance. May all your days get brighter and brighter.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Learn about cloud computing and its benefits for small business owners.
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question