Reindex maintenance plan error
- KenpoDBA - Wednesday, August 23, 2017 11:30 AM
@KenpoDBA - I believe your argument is invalid. I have worked in an environment with over 1000 instances of SQL Server, and over 200 of them were used by developers or business analysts who had their own jobs to take care of. Yes, I know that AD groups don't work for job ownership--that's what SQL Logins are for. It is really the responsibility of the company and its employees to be security conscious because every one of the developers and business analysts had to complete a mandatory "security in SQL Server" course before they were given the SQL Login credentials and were all held accountable for their actions when using it (we had a spiffy monitoring tool that would capture the login and the workstation being used, so auditing was simple).
I am not a proponent of stating that either sqlcmd or xp_cmdshell is "more" or "less" security worthy. They both have vulnerabilities that a DBA must address. That has NOTHING to do with what solution is used to perform necessary maintenance. I have never used Minion, but I don't have anything against it...I would have to use it first to have an opinion about it. I have used Ola's solution for years and have never had any problems with it--of course, I never granted access to people/logins to perform mischief like what was described in the article Jason referenced.
If you actually read my post and the one that Jason references, it will be clear that the person making the assertion that sqlcmd can be used for permission escalation is using an example that NO DBA anywhere would EVER do--or, if s/he did, they wouldn't be employed long afterwards. The article writer uses VERY specific permissions that aren't even necessary for managing SQL Agent jobs to make his point...which also is invalid because 1) It is unnecessary and 2) Why would any DBA ever grant those permissions?
Reread the post and deploy his example, while keeping in mind what is actually required for a login to manage a job--it is abundantly clear a person would have to go WAY out of their way to grant those permissions.Alan H
MCSE - Data Management and Analytics
Senior SQL Server DBA
Best way to ask a question: http://www.sqlservercentral.com/articles/Best+Practices/61537/ - SQLRNNR - Wednesday, August 23, 2017 11:44 AM
@jason - I don't believe I ever stated that xp_cmdshell is not secure. I was pointing out flaws in the article you referenced which supposedly shows a "weakness" in sqlcmd. No matter what method is used, it has to be secured. Like I told KenpoDBA, I've never used Minion and have nothing against it. I have, however, used Ola's solution for years, and have never had a problem with someone taking control of those jobs to run command in sqlcmd--because I secured their access to not be able to even get to those jobs.
Alan H
MCSE - Data Management and Analytics
Senior SQL Server DBA
Best way to ask a question: http://www.sqlservercentral.com/articles/Best+Practices/61537/ - SQL_Hacker - Wednesday, August 23, 2017 2:00 PM
I see two t-sql steps followed by a Powershell step. Nothing calling sqlcmd.
Sue
- KenpoDBA - Wednesday, August 23, 2017 7:06 AM
Sean, please re-read my post. I never said PowerShell being off was a reason to avoid using it.
And I don't honestly believe that most people have the ability to read something and make up their own mind intelligently.
Thanks for sharing. I appreciate you letting us know how you feel about most people.
These are complicated topics and most people don't put enough effort into it to really know what's important.
I tend to agree but that's no reason to withhold important information and stop trying to guide people towards seeing why those things are important. I try to do something every day in that capacity.
I am concerned though that you're still out there preaching against cmdshell even after the long thread in the article you linked to... again, another article by me. And I remember how impossible it was to get an answer out of you and we never did. So I'm asking you again. Get away from what you feel and tell me how cmdshell is a security risk. I don't want to hear about how far behind in the times it is, or how dumb people are for including it in their solutions. I just want a solid case of how it's a security risk, of how it lessens the security of your server. Without you giving me even on example, you have no argument. That's why I called that article 'Security Theater', because disabling cmdshell is just that, it's theater. It has no basis in reality.
Sean, I have explained my thinking numerous times. I would refer you back to the comment thread in the article I linked to. There are lengthy threads here on SSC as well between Jeff and I on this same topic. It's all there and I firmly believe you can extrapolate the security risks from the behavior of the tool and the situations where it can be used, implemented or exploited.There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato - Orlando Colamatteo - Wednesday, August 23, 2017 8:56 PM
I tend to agree but that's no reason to withhold important information and stop trying to guide people towards seeing why those things are important. I try to do something every day in that capacity.
I am concerned though that you're still out there preaching against cmdshell even after the long thread in the article you linked to... again, another article by me. And I remember how impossible it was to get an answer out of you and we never did. So I'm asking you again. Get away from what you feel and tell me how cmdshell is a security risk. I don't want to hear about how far behind in the times it is, or how dumb people are for including it in their solutions. I just want a solid case of how it's a security risk, of how it lessens the security of your server. Without you giving me even on example, you have no argument. That's why I called that article 'Security Theater', because disabling cmdshell is just that, it's theater. It has no basis in reality.
Sean, I have explained my thinking numerous times. I would refer you back to the comment thread in the article I linked to. There are lengthy threads here on SSC as well between Jeff and I on this same topic. It's all there and I firmly believe you can extrapolate the security risks from the behavior of the tool and the situations where it can be used, implemented or exploited.
You've never given me anything. Whenever I ask for specifics you give me answers like that... like how it's obvious if I just think about it. We've asked you again and again for a specific example and you fail to give one. It's always with the feelings, and the condescending tone that the rest of us aren't keeping up with you. Like I've said many times, and like Jason said, give us a specific example, or you don't have an argument. We've spent this much time asking for one without getting it because you don't have one. You know we're right but you refuse to admit it.
So let's say that we're beginners. Stop telling us that it's obvious, and tell us in plain english how cmdshell poses a security risk. There are bound to be beginners reading this; take this opportunity to teach them the right way. Don't speak in generalities, give a single example.Watch my free SQL Server Tutorials at:
http://MidnightDBA.com
Blog Author of:
DBA Rant – http://www.MidnightDBA.com/DBARantMinion Maintenance is FREE:
- KenpoDBA - Wednesday, August 23, 2017 9:07 PM
Sean, I have explained my thinking numerous times. I would refer you back to the comment thread in the article I linked to. There are lengthy threads here on SSC as well between Jeff and I on this same topic. It's all there and I firmly believe you can extrapolate the security risks from the behavior of the tool and the situations where it can be used, implemented or exploited.
You've never given me anything. Whenever I ask for specifics you give me answers like that... like how it's obvious if I just think about it. We've asked you again and again for a specific example and you fail to give one. It's always with the feelings, and the condescending tone that the rest of us aren't keeping up with you. Like I've said many times, and like Jason said, give us a specific example, or you don't have an argument. We've spent this much time asking for one without getting it because you don't have one. You know we're right but you refuse to admit it.
So let's say that we're beginners. Stop telling us that it's obvious, and tell us in plain english how cmdshell poses a security risk. There are bound to be beginners reading this; take this opportunity to teach them the right way. Don't speak in generalities, give a single example.
Condescending...hmm. That's rich coming from you, Sean, especially after the little gem you dropped earlier regarding "most people."I'll re-raise one that we have talked in the past. Think about losing track of the caller, i.e. losing look-through auditability, as one place where xp_cmdshell presents a security risk. It allows the caller to obfuscate their identity. That brings another one to mind which is permission elevation. Callers of xp_cmdshell are potentially having their permissions elevated on the network due to the callout happening in the context of the SQL Server service account. Honestly, it's all in the comments of the xp_cmdshell is evil article as well as on this site in many more posts, and on many other sites from people other than myself. I suspect that will not be enough for you now since it has not been enough for you thus far. If I can help refine this further, please let me know.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato - Orlando Colamatteo - Wednesday, August 23, 2017 9:19 PM
You've never given me anything. Whenever I ask for specifics you give me answers like that... like how it's obvious if I just think about it. We've asked you again and again for a specific example and you fail to give one. It's always with the feelings, and the condescending tone that the rest of us aren't keeping up with you. Like I've said many times, and like Jason said, give us a specific example, or you don't have an argument. We've spent this much time asking for one without getting it because you don't have one. You know we're right but you refuse to admit it.
So let's say that we're beginners. Stop telling us that it's obvious, and tell us in plain english how cmdshell poses a security risk. There are bound to be beginners reading this; take this opportunity to teach them the right way. Don't speak in generalities, give a single example.Condescending...hmm. That's rich coming from you, Sean, especially after the little gem you dropped earlier regarding "most people."
I'll re-raise one that we have talked in the past. Think about losing track of the caller, i.e. losing look-through auditability, as one place where xp_cmdshell presents a security risk. It allows the caller to obfuscate their identity. That brings another one to mind which is permission elevation. Callers of xp_cmdshell are potentially having their permissions elevated on the network due to the callout happening in the context of the SQL Server service account. Honestly, it's all in the comments of the xp_cmdshell is evil article as well as on this site in many more posts, and on many other sites from people other than myself. I suspect that will not be enough for you now since it has not been enough for you thus far. If I can help refine this further, please let me know.
See, now you finally gave me something solid at least. And unfortunately you're concentrating on the theater instead of the security.
1. Losing track of the caller -- This has a couple aspects to it. The first is the audit. It's very easy to setup an audit that captures every cmdshell call made. Here's a link: https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012. And it captures the original caller. So you see, that wasn't tough at all. I don't know if you can capture the calls in SQL2K8, but i know the syntax given in the link is invalid. So you're not actually losing track of the caller at all.
Now, even without cmdshell, there are a number of ways to lose track of the caller unless you're taking more extreme measures to audit your servers. You can call PS and do things with multiple credentials all over the network, you can run different job steps under different credentials and schedule it so your fingerprints are nowhere to be found, you can do the same thing in SSIS pkgs, and probably more. So you see, the potential to lose the original caller is everywhere. It's not a cmdshell problem.
2. Elevated Permissions -- Remember when i said that cmdshell doesn't hurt your security it just helps expose flaws that are already there? This is what I'm talking about, and it's a problem with far more than just cmdshell, it's a problem with the things i listed above and more. Locking down the service accts is essential. Don't run 50 sql boxes under the same acct and give them all local admin. You should be running each box under its own acct and only giving it the perms it needs on that box, and giving it explicit perms on every other box it needs to access. Only give explicit perms to everything you need to do. So since only sysadmins can run cmdshell by default, then there's not an issue with permission escalation. And if the service acct only has limited perms, then even the sysadmins are limited on what they can do through cmdshell. So even if someone breaks in and turns on cmdshell, they'll be able to do very little. See, actual security, not security theater of just disabling cmdshell and then doing whatever else you want in the environment. I'm concerned with actual security, not just the appearance of it. Imagine turning on cmdshell in your shop to do things you need to do inside SQL, and not having to worry that something really bad is going to happen because you've handled security properly. And when you open cmdshell to users, which i don't think is usually a good idea, but in order to do that, you have to define a credential for it to run under. Well guess what... you're supposed to lockdown that acct too. You don't give users access to cmdshell with an admin account behind it. And that's a limitation with opening up cmdshell to users... there's only one credential that's used for all of them, so some will have perms they don't need because you may have had to expand the perms of that credential so someone else could do what they needed. This is why i don't necessarily recommend it for end users. You provide other means to end users. But I can't say that it even weakens your security and exposes you to something bad because that credential only gets the permissions you give it. So just don't give the rights to do anything dangerous.
So this is why I still don't accept your premise that cmdshell is dangerous. And if you're afraid of it, then that just means that you really haven't secured your shop properly. So stop worrying about this single potential attack vector out of many, and start looking at your base-level security itself.Watch my free SQL Server Tutorials at:
http://MidnightDBA.com
Blog Author of:
DBA Rant – http://www.MidnightDBA.com/DBARantMinion Maintenance is FREE:
- KenpoDBA - Thursday, August 24, 2017 9:24 AM
Sean, you know your stuff. Your disposition is why I hesitate to lob you meatballs to swing at. Just because I provided an example does not mean I was looking for you to explain anything to me. Please appreciate that you are speaking with someone who understands the technical details that are part of this discussion. I am not trying to learn how to quell my concerns around xp_cmdhsell. I have had to secure environments and research how to do auditing when xp_cmdshell is enabled. I have looked into tools that block the cmd.exe process coming out of the SQL Server and even went into developing some PoC code in C++ to do that myself by registering events at the OS level.
The point is that what you've just laid out in your response was pretty weighty in terms of technical detail and subtext, and just plain weighty in terms of the number of words you had to type to get your point across. And I only raised two concerns, out of many. This type of information is rarely, if ever, attached to a recommendation to use xp_cmdshell to solve a technical problem. In fact many folks, yourself included, look to dismiss any hint of security concern. That's where you lose people like me that have legitimate reasons to raise these things when thinking about introducing it into an environment.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
Viewing 8 posts - 31 through 37 (of 37 total)
You must be logged in to reply to this topic. Login to reply