Home Forums Article Discussions Article Discussions by Author Discuss Content Posted by Steve Jones SQLCMD RE: SQLCMD

  • November 20, 2013 at 10:09 pm

    #1668018

    Jeff Moden (11/20/2013)

    opc.three (11/20/2013)

    I can think of ways a non-SA could be setup so they could enable xp_cmdshell without the use of a proxy. Your point?

    I can think of ways a non-SA could be setup so they could enable xp_cmdshell. What is your point?

    I don't believe either of the above is true but if it is, then you've made my point. Turning it off is a futile security effort. I'd also like to know how you think either of the above can actually be accomplished.

    Chances are I could accomplish this through a SQLCLR. I could definitely setup an Agent job that a low-priv user could run by executing a stored proc. Potentially a signed stored procedure but haven't tried it. I would bet there are lots of ways...

    Also, you should post you WMI intercept code on this thread, as well. I'm sure other people would be interested in it... especially since you don't actually have anything that will stop the use. I don't mean that sarcastically, either. It may be that someone could help setup a block (although I believe that might have some adverse affects on the operation of things like backups, etc).

    http://www.sqlservercentral.com/Forums/FindPost1450182.aspx

    And no... the XP that deletes files is good only for backup and certain types of report files. If you know of another XP that can delete text files, I'd sure like to know about it.

    Right, I said old files from the backup directory, implying database backup files.

    You and I started this argument several years ago and you said that you had a "Visceral Fear" about the use of xp_CmdShell. I agree that you do. 😉

    In the meantime, I'm going to continue to advocate the use of xp_CmdShell and you're going to continue to advocate against it. I am not, however, going to get into any more long discussions with you about it. I'm simply going to state the you have a visceral fear about it and that it's up to the reader if they want to take on a like fear.

    That was a creative use of words on my part meant to make a point, not meant to be taken literally. This is not the first time you have brought that comment up, and I am impressed that you do bring that up periodically because it means my wordsmithing worked, you remembered! Hopefully others will take the decision to enable xp_cmdshell seriously and after reading some of our long discussions, choose to take a route other than exposing a conduit into the host operating system via their SQL Server that supports identity obfuscation and many times permission elevation. It's one of those things, as the saying goes, if I can prevent one person from making the mistake of enabling and using xp_cmdshell then all the typing and time spent was worth it.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato