• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 251
  • Last Modified:

Granting access to xp_cmdshell

I already know the cons of allowing access to xp_cmdshell but it currently can't be avoided.  That said, would it be better to set my SQL User as a SysAdmin or setup and use the xp_cmdshell_proxy_account?

Thanks
0
cat4larry
Asked:
cat4larry
1 Solution
 
Rainer JeschorCommented:
Hi,
imho I would use the proxy account. This enables you at least to restrict your SQL user permissions as normally this one should not have sysadmin privs (but it would depend on your specific situation).
Just my 2ct
Rainer
0
 
ZberteocCommented:
A sysadmin account has the rights to use xp_cmdshell if enabled. If is not enabled a sysadmin can enable it with:

-- To allow advanced options to be changed.
EXEC sp_configure 'show advanced options', 1
GO
-- To update the currently configured value for advanced options.
RECONFIGURE
GO
-- To enable the feature.
EXEC sp_configure 'xp_cmdshell', 1
GO
-- To update the currently configured value for this feature.
RECONFIGURE
GO

Open in new window

There are no cons really as long as only the sysadmin can use it, as it is actually designed for. A DBA, sysadmin, should have anyway right to do things on the server unless the policy of the company is to not allow at all OS rights for the DBAs, in which case they are not allowed to use it not that they couldn't.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now