Home Forums SQL Server 2008 T-SQL (SS2K8) How to call a batch file to execute from an SP RE: How to call a batch file to execute from an SP

  • March 26, 2013 at 7:21 pm

    #1601001

    mister.magoo (3/26/2013)

    How do we all feel about SQL Agent Jobs and the ability to run operating system commands from them?

    (I know the user running the job will have been configured to have minimal permissions, but it still may have access to resources the attacker wouldn't normally have access to)

    And SSIS packages that can FTP / email / perform file operations / run ad-hoc .net code - are they ok ?

    Don't they also provide the opportunity for an "attacker" known or unknown to perform tasks with permissions other than their own?

    Or how about someone gaining access to your workstation or the server and using SQLCMD mode in SSMS to run operating system commands? (assuming you have already locked down the dos prompt and the windows Run command and the "Run..." command on the windows task manager and the File...Open dialogs in Office)...

    Oh hold on, while I was typing this, someone stole my server...damn it!

    :hehe:

    All good points and all things that need to be considered when securing an environment.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato