?
Solved

Restricting cmdexec in Sql 2005 to the sysadmin

Posted on 2011-03-17
7
Medium Priority
?
1,100 Views
Last Modified: 2012-05-11
I am trying to find a way to restrict the cmdexec to the sysadmin only in SQL 2005,  I have SQL 2005 standard and express, is this possible with these version.  thank you.
0
Comment
Question by:rdare23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158075
If you are refering to xp_cmdshell. This is already done by default. The only way a non-sysadmin can execute xp_cmdshell is by create a proxy.
0
 
LVL 1

Author Comment

by:rdare23
ID: 35158794
I am not sure if it is the xp_cmdshell.  we had a review done and one of things was to make sure that "Access to the SQL cmdexec service should be restricted to the systadmin user account."  
0
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158819
hmmmmmm, have they mentioned if it is being used or is this just a guideline?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 2000 total points
ID: 35158851
Check under SQL Server agent > Proxies > Operating System (CmdExec)

If there is nothing under there, there would be no access unless the user was a member of the sysadmin server role.
0
 
LVL 1

Accepted Solution

by:
rdare23 earned 0 total points
ID: 35165927
One of the DBs, that is referenced in the review, is on a 2005 express setup, and the sql server agent is not installed. Can I say that the cmdexec can only be accessed by sysadmin?
0
 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 2000 total points
ID: 35165983
This is fine as long as sp_xp_cmdshell_proxy_account has not been executed.

Do the following to check if a credential name of ##xp_cmdshell_proxy_account## exists. If not then a global proxy has not been setup and there would be no access unless part of the sysadmin fixed server role.

SELECT * FROM master.sys.credentials

Open in new window

0
 
LVL 1

Author Closing Comment

by:rdare23
ID: 35196660
Thank you, EvilPostIt.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
Viewers will learn how the fundamental information of how to create a table.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question