Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Is xp_cmdshell Security threat??? Expand / Collapse
Author
Message
Posted Monday, June 22, 2009 12:17 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Monday, May 17, 2010 11:02 AM
Points: 347, Visits: 777
Hi,

We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?
Post #739642
Posted Monday, June 22, 2009 12:33 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 7:50 AM
Points: 6,594, Visits: 8,879
rambilla4 (6/22/2009)
Hi,

We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?

That depends. Do you consider this code a threat?

exec master..xp_cmdshell 'FORMAT C:'



Wayne
Microsoft Certified Master: SQL Server 2008
If you can't explain to another person how the code that you're copying from the internet works, then DON'T USE IT on a production system! After all, you will be the one supporting it!
Links: For better assistance in answering your questions, How to ask a question, Performance Problems, Common date/time routines,
CROSS-TABS and PIVOT tables Part 1 & Part 2, Using APPLY Part 1 & Part 2, Splitting Delimited Strings
Post #739652
Posted Monday, June 22, 2009 12:37 PM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Wednesday, July 9, 2014 7:35 AM
Points: 33, Visits: 442
The short answer is yes, xp_cmdshell is a dangerous object to enable. There are several ways around using xp_cmdshell, and it would be worth your while to research your alternatives.

Karl Lambert
SQL Server Database Administration
Business Intelligence Development
Post #739654
Posted Monday, June 22, 2009 2:27 PM


Ten Centuries

Ten CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen CenturiesTen Centuries

Group: General Forum Members
Last Login: Thursday, August 21, 2014 1:54 PM
Points: 1,432, Visits: 3,229
It is really only dangerous in the case where appropriate and strict adherence to minimum required permissions and complex password safeguards are lacking or non-existent. Unfortunately this is true in too many situations and has resulted in giving this rather useful procedure a bad name. Most people take the brute force (easier) approach and disable the feature.

There are many ways to hack a database, this is but one of the more interesting ones. Having said that, proper adherence to SQL Server security on objects and logins along with application coding designed to be injection-proof will make this particular procedure no more of a danger than DROP TABLE. I'll get flamed for saying this but it is a fact.





The probability of survival is inversely proportional to the angle of arrival.
Post #739742
Posted Thursday, October 13, 2011 9:43 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 9:13 PM
Points: 36,995, Visits: 31,514
sturner (6/22/2009)
It is really only dangerous in the case where appropriate and strict adherence to minimum required permissions and complex password safeguards are lacking or non-existent. Unfortunately this is true in too many situations and has resulted in giving this rather useful procedure a bad name. Most people take the brute force (easier) approach and disable the feature.

There are many ways to hack a database, this is but one of the more interesting ones. Having said that, proper adherence to SQL Server security on objects and logins along with application coding designed to be injection-proof will make this particular procedure no more of a danger than DROP TABLE. I'll get flamed for saying this but it is a fact.



I know this is an old thread but I wanted to add... I absolutely agree. It's not the tool that's bad. It's the way that people implement it.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1190290
Posted Saturday, April 6, 2013 12:35 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 9:13 PM
Points: 36,995, Visits: 31,514
WayneS (6/22/2009)
rambilla4 (6/22/2009)
Hi,

We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?

That depends. Do you consider this code a threat?

exec master..xp_cmdshell 'FORMAT C:'



I know this is a wicked old thread but I have to ask... who can use that command? The answer is "Only people with SA privs" or people that the DBAs where stupid enough to grant a direct execution proxy to.

That being said and assuming that no one and no thing but the DBAs have the privs to execute xp_CmdShell, why do you think xp_CmdShell provides a security threat?


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1439597
Posted Saturday, April 6, 2013 12:48 PM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Yesterday @ 1:51 PM
Points: 21,644, Visits: 15,317
Jeff Moden (4/6/2013)
WayneS (6/22/2009)
rambilla4 (6/22/2009)
Hi,

We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?

That depends. Do you consider this code a threat?

exec master..xp_cmdshell 'FORMAT C:'



I know this is a wicked old thread but I have to ask... who can use that command? The answer is "Only people with SA privs" or people that the DBAs where stupid enough to grant a direct execution proxy to.

That being said and assuming that no one and no thing but the DBAs have the privs to execute xp_CmdShell, why do you think xp_CmdShell provides a security threat?


Geez Jeff, getting bored and reading threads that have been dead for years?

I'm in the boat that it isn't so much of a threat if proper controls are in place. And for places where controls are lacking - audit.

There are good uses for cmdshell. They are being replaced with powershell these days - but not everybody is up to snuff on PoSH.




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1439599
Posted Saturday, April 6, 2013 5:06 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: General Forum Members
Last Login: Yesterday @ 9:13 PM
Points: 36,995, Visits: 31,514
Nope. Not bored. Doing research. My take on it, so far, is that disabling xp_CmdShell to supposedly enhance security is like holding up a bath towel to protect you from a nuclear blast. If no one can use it other than SAs, then what is "everyone" so bloody afraid of? If someone that isn't supposed to, gets in as SA, it's not gonna matter if it's disabled or not. Some claim that it's an extra "layer" of security than an attacker would have to go through and I say they don't even have to use xp_CmdShell to raise hell at the OS level if they get in with SA privs.

To wit, if they think that turning off and not using xp_CmdShell is some form of security, I'm really concerned about what they think security is.

On the PowerShell thing, I use xp_CmdShell to call PowerShell. Between the two, a DBA can do some awesome stuff in a very secure manner.


--Jeff Moden
"RBAR is pronounced "ree-bar" and is a "Modenism" for "Row-By-Agonizing-Row".

First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."

(play on words) "Just because you CAN do something in T-SQL, doesn't mean you SHOULDN'T." --22 Aug 2013

Helpful Links:
How to post code problems
How to post performance problems
Post #1439607
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse