Solved

Restricting cmdexec in Sql 2005 to the sysadmin

Posted on 2011-03-17
7
1,081 Views
Last Modified: 2012-05-11
I am trying to find a way to restrict the cmdexec to the sysadmin only in SQL 2005,  I have SQL 2005 standard and express, is this possible with these version.  thank you.
0
Comment
Question by:rdare23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158075
If you are refering to xp_cmdshell. This is already done by default. The only way a non-sysadmin can execute xp_cmdshell is by create a proxy.
0
 
LVL 1

Author Comment

by:rdare23
ID: 35158794
I am not sure if it is the xp_cmdshell.  we had a review done and one of things was to make sure that "Access to the SQL cmdexec service should be restricted to the systadmin user account."  
0
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158819
hmmmmmm, have they mentioned if it is being used or is this just a guideline?
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 500 total points
ID: 35158851
Check under SQL Server agent > Proxies > Operating System (CmdExec)

If there is nothing under there, there would be no access unless the user was a member of the sysadmin server role.
0
 
LVL 1

Accepted Solution

by:
rdare23 earned 0 total points
ID: 35165927
One of the DBs, that is referenced in the review, is on a 2005 express setup, and the sql server agent is not installed. Can I say that the cmdexec can only be accessed by sysadmin?
0
 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 500 total points
ID: 35165983
This is fine as long as sp_xp_cmdshell_proxy_account has not been executed.

Do the following to check if a credential name of ##xp_cmdshell_proxy_account## exists. If not then a global proxy has not been setup and there would be no access unless part of the sysadmin fixed server role.

SELECT * FROM master.sys.credentials

Open in new window

0
 
LVL 1

Author Closing Comment

by:rdare23
ID: 35196660
Thank you, EvilPostIt.
0

Featured Post

Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Why is this different from all of the other step by step guides?  Because I make a living as a DBA and not as a writer and I lived through this experience. Defining the name: When I talk to people they say different names on this subject stuff l…
Recently we ran in to an issue while running some SQL jobs where we were trying to process the cubes.  We got an error saying failure stating 'NT SERVICE\SQLSERVERAGENT does not have access to Analysis Services. So this is a way to automate that wit…
This videos aims to give the viewer a basic demonstration of how a user can query current session information by using the SYS_CONTEXT function
Via a live example, show how to setup several different housekeeping processes for a SQL Server.

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question