Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Restricting cmdexec in Sql 2005 to the sysadmin

Posted on 2011-03-17
7
Medium Priority
?
1,114 Views
Last Modified: 2012-05-11
I am trying to find a way to restrict the cmdexec to the sysadmin only in SQL 2005,  I have SQL 2005 standard and express, is this possible with these version.  thank you.
0
Comment
Question by:rdare23
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158075
If you are refering to xp_cmdshell. This is already done by default. The only way a non-sysadmin can execute xp_cmdshell is by create a proxy.
0
 
LVL 1

Author Comment

by:rdare23
ID: 35158794
I am not sure if it is the xp_cmdshell.  we had a review done and one of things was to make sure that "Access to the SQL cmdexec service should be restricted to the systadmin user account."  
0
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158819
hmmmmmm, have they mentioned if it is being used or is this just a guideline?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 2000 total points
ID: 35158851
Check under SQL Server agent > Proxies > Operating System (CmdExec)

If there is nothing under there, there would be no access unless the user was a member of the sysadmin server role.
0
 
LVL 1

Accepted Solution

by:
rdare23 earned 0 total points
ID: 35165927
One of the DBs, that is referenced in the review, is on a 2005 express setup, and the sql server agent is not installed. Can I say that the cmdexec can only be accessed by sysadmin?
0
 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 2000 total points
ID: 35165983
This is fine as long as sp_xp_cmdshell_proxy_account has not been executed.

Do the following to check if a credential name of ##xp_cmdshell_proxy_account## exists. If not then a global proxy has not been setup and there would be no access unless part of the sysadmin fixed server role.

SELECT * FROM master.sys.credentials

Open in new window

0
 
LVL 1

Author Closing Comment

by:rdare23
ID: 35196660
Thank you, EvilPostIt.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's business world, data is more important than ever for informing marketing campaigns. Accessing and using data, however, may not come naturally to some creative marketing professionals. Here are four tips for adapting to wield data for insi…
Instead of error trapping or hard-coding for non-updateable fields when using QODBC, let VBA automatically disable them when forms open. This way, users can view but not change the data. Part 1 explained how to use schema tables to do this. Part 2 h…
Via a live example, show how to shrink a transaction log file down to a reasonable size.
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question