Home Forums SQL Server 2008 Security (SS2K8) How to prevent ANY use of xp_CmdShell? RE: How to prevent ANY use of xp_CmdShell?

  • May 6, 2013 at 3:39 pm

    #1612794

    Jeff Moden (5/6/2013)

    opc.three (5/6/2013)

    At the Windows level I think you can intercept and prevent attempts by the sqlservr.exe process to spawn instances of cmd.exe. I am guessing this is done using WMI but am not sure which Windows subsystem is used to do it. It is something that exists in the environment where I am currently, but I have very little details around what is seen by that process (I doubt it can know which member of sysadmin ran it through SQL Server since that is an application domain away) or how effective it is.

    Thanks, Orlando. Any way you could find out more about the environment you currently work in for that? And you actually seen it stuff a request from xp_CmdShell? That would be the proof of the pudding especially since that would also stuff requests by OPENROWSET and a couple of other avenues that people with "SA" privs have to get to a command line.

    I can't ask too many of those types of questions around here, if you know what I mean. I know there is a WMI Event for "process creation" we can listen for. If there is synchronous access in the context of "pre-execution" and the event payload includes the source process then it should be pretty easy. I'll try to work up a proof-of-concept myself, and see what I come up with.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato