Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase «««123

BCP Utility to output contents into CSV Expand / Collapse
Author
Message
Posted Monday, June 03, 2013 8:09 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 10:03 PM
Points: 35,956, Visits: 30,244
Sigerson (6/3/2013)
@Jeff:

Thanks for the information, it answered a lot of my questions. I'm an accidental DBA at best. I never grant individual users any special privs so I don't think I'm in any jeopardy here. No users can execute xp_cmdshell except through an application s/p, and I always disable it in the s/p code as soon as I can.

Anyway, thanks again for the confirmation.


Disabling xp_CmdShell when you're done using it is fine but it really does nothing for security. Only the people (have "SA" privs) that can actually use it can turn it on.

I am concerned a bit about what one of the application SPs might look like for running xp_CmdShell because of the "public facing" nature of such SPs and the fact that there is such a thing as "DOS Injection". I'm also concerned with how the privs are setup since the application SPs turn it on and off. I'd be happy to check for you if you'd like to post them. If they're "sensitive", you could PM me instead.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

"Change is inevitable. Change for the better is not." -- 04 August 2013
(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1459297
Posted Monday, June 03, 2013 8:31 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Yesterday @ 8:17 AM
Points: 243, Visits: 787
@Jeff:

Sure, what do you need to see? I told you I'm very new to the whole topic of users/privs/roles/security in general.

Also, how do I send a pm?


Sigerson

"No pressure, no diamonds." - Thomas Carlyle
Post #1459314
Posted Saturday, June 15, 2013 10:29 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 10:03 PM
Points: 35,956, Visits: 30,244
Apologies for the delayed reply...

I guess I'd need to see what one of the SP's that takes user input to be used with xp_cmdShell looks like. I'd also need to know (VERY important) what the privs of the application login are and whether or not you've setup an xp_CmdShell proxy.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

"Change is inevitable. Change for the better is not." -- 04 August 2013
(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1463874
« Prev Topic | Next Topic »

Add to briefcase «««123

Permissions Expand / Collapse