Home Forums SQL Server 2008 T-SQL (SS2K8) How to call a batch file to execute from an SP RE: How to call a batch file to execute from an SP

  • March 26, 2013 at 10:52 pm

    #1601025

    mister.magoo (3/26/2013)

    How do we all feel about SQL Agent Jobs and the ability to run operating system commands from them?

    (I know the user running the job will have been configured to have minimal permissions, but it still may have access to resources the attacker wouldn't normally have access to)

    And SSIS packages that can FTP / email / perform file operations / run ad-hoc .net code - are they ok ?

    Don't they also provide the opportunity for an "attacker" known or unknown to perform tasks with permissions other than their own?

    Or how about someone gaining access to your workstation or the server and using SQLCMD mode in SSMS to run operating system commands? (assuming you have already locked down the dos prompt and the windows Run command and the "Run..." command on the windows task manager and the File...Open dialogs in Office)...

    Oh hold on, while I was typing this, someone stole my server...damn it!

    :hehe:

    I'm pretty sure that having xp_CmdShell turned off isn't going to help any of those. 🙂

    --Jeff Moden

    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.

    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)