Solved

Restricting cmdexec in Sql 2005 to the sysadmin

Posted on 2011-03-17
7
1,069 Views
Last Modified: 2012-05-11
I am trying to find a way to restrict the cmdexec to the sysadmin only in SQL 2005,  I have SQL 2005 standard and express, is this possible with these version.  thank you.
0
Comment
Question by:rdare23
  • 4
  • 3
7 Comments
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158075
If you are refering to xp_cmdshell. This is already done by default. The only way a non-sysadmin can execute xp_cmdshell is by create a proxy.
0
 
LVL 1

Author Comment

by:rdare23
ID: 35158794
I am not sure if it is the xp_cmdshell.  we had a review done and one of things was to make sure that "Access to the SQL cmdexec service should be restricted to the systadmin user account."  
0
 
LVL 16

Expert Comment

by:EvilPostIt
ID: 35158819
hmmmmmm, have they mentioned if it is being used or is this just a guideline?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 500 total points
ID: 35158851
Check under SQL Server agent > Proxies > Operating System (CmdExec)

If there is nothing under there, there would be no access unless the user was a member of the sysadmin server role.
0
 
LVL 1

Accepted Solution

by:
rdare23 earned 0 total points
ID: 35165927
One of the DBs, that is referenced in the review, is on a 2005 express setup, and the sql server agent is not installed. Can I say that the cmdexec can only be accessed by sysadmin?
0
 
LVL 16

Assisted Solution

by:EvilPostIt
EvilPostIt earned 500 total points
ID: 35165983
This is fine as long as sp_xp_cmdshell_proxy_account has not been executed.

Do the following to check if a credential name of ##xp_cmdshell_proxy_account## exists. If not then a global proxy has not been setup and there would be no access unless part of the sysadmin fixed server role.

SELECT * FROM master.sys.credentials

Open in new window

0
 
LVL 1

Author Closing Comment

by:rdare23
ID: 35196660
Thank you, EvilPostIt.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Via a live example, show how to backup a database, simulate a failure backup the tail of the database transaction log and perform the restore.
Via a live example, show how to shrink a transaction log file down to a reasonable size.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now