wisl (8/25/2009)
I have a stored procedure that uses 'Ad hoc distributed queries' to query excel data, combine it with data from the database perform some manipulations and then BCP a csv file of the combined data.-snip-
What are the security implications of setting this option and leaving it on - this is our live server.
I've been researching this as well, and think I have come to a final understanding:
There are 3 basic security concerns with Ad Hoc Distributed Queries. 1) If the allowed provider has a bug in it (such as a buffer overflow) that compromises your security then this is one of way getting to it. I consider this the greater of the three problems as it can potentially be used to compromise your system.
2) It could be used to connect from a compromised server on your network to a non-compromised server, one that doesn't normally allow external connections from outside of your network.
3) It allows an already compromised database to report back to the attacker, giving additional information to be used to enable further attacks and/or to copy your data. I put this as the lesser of the three problems, because while it makes it easier to copy your data and decode your system, it doesn't actually allow them any extra rights or create a vulnerability.
John