Orlando Colamatteo

Forum Replies Created

Viewing 15 posts - 1,441 through 1,455 (of 7,164 total)

RE: How to call a batch file to execute from an SP

Sergiy (3/24/2013)
opc.three (3/24/2013)
Sergiy (3/24/2013)
Version control. Change management processes. Code review. Layers...
What all these words have to do with stealing data by launching an ad-hoc query using SA privilages?
Or you really...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 25, 2013 at 6:48 am

#1600281
RE: need script for space util

Read up on how to call a script using powershell.exe. That does nit look right. The ampersand is for code-blocks iirc. Just run the stuff I gave you at a...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 10:00 pm

#1600166
RE: How to call a batch file to execute from an SP

Sergiy (3/24/2013)
opc.three (3/24/2013)
But consider the employee in the sysadmin Role looking to steal data without being detected.
And?
How adding an "sp_configure" command to a script used for stealing data...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 9:27 pm

#1600164
RE: How to call a batch file to execute from an SP

Sergiy (3/24/2013)
opc.three (3/24/2013)
All of those things should be done in addition to leaving xp_cmdshell disabled.
If those things are done there is no point of disabling xp_cmdshell.
Why do you need it?...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 8:58 pm

#1600162
RE: How to call a batch file to execute from an SP

Sergiy (3/24/2013)
opc.three (3/24/2013)
You're still hung up on external scenarios.
Not really.
Replace "intruder" with "employee gone nuts".
What does it change?
Not much you can do there. But consider the employee in the sysadmin...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 8:53 pm

#1600161
RE: How to call a batch file to execute from an SP

Sergiy (3/24/2013)
opc.three (3/24/2013)
The point is, xp_cmdshell is a blunt tool that cannot be audited and allows people to run commands as someone else, possibly with more permissions than their own,...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 8:19 pm

#1600158
RE: How to call a batch file to execute from an SP

Sergiy (3/24/2013)
opc.three (3/24/2013)
The fact is that a system with xp_cmdshell disabled has less security exposures, has less vulnerabilities and is more auditable than a system where it is enabled.
OK.
I'm an...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 8:17 pm

#1600157
RE: How to call a batch file to execute from an SP

You're still hung up on 'external attackers.' The point is, xp_cmdshell is a blunt tool that cannot be audited and allows people to run commands as someone else, possibly with...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 7:17 pm

#1600152
RE: How to call a batch file to execute from an SP

It is their choice ultimately, but to paraphrase a comment you have made in the past, characterizing xp_cmdshell as "safe as a SELECT statement" is just plain inaccurate. In the...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 6:06 pm

#1600143
RE: How to call a batch file to execute from an SP

Jeff Moden (3/24/2013)
The problem is that you only think you're locking the doors by turning off xp_CmdShell. What you forgot to do is to take the keys off the...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 3:32 pm

#1600138
RE: How to call a batch file to execute from an SP

Jeff Moden (3/24/2013)
Michael L John (3/21/2013)
I stand corrected.
BUT I also stand by the statement because unfortunately poor security seems to be the norm. It seems as if DBA's are so...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 3:17 pm

#1600134
RE: How to call a batch file to execute from an SP

Jeff Moden (3/24/2013)
It takes 3ms for an attacker that get's in as "SA" to blow through so called "layering" to execute something using xp_CmdShell because their code is expecting it...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 3:08 pm

#1600133
RE: How to call a batch file to execute from an SP

Jeff Moden (3/24/2013)
opc.three (3/24/2013)
Michael L John (3/21/2013)
I stand corrected.
BUT I also stand by the statement because unfortunately poor security seems to be the norm. It seems as if DBA's are...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 2:02 pm

#1600129
RE: need script for space util

Oracle_91 (3/24/2013)
installing powershell do we any security risks as mine windows 2003. am not sure we can download sdk which has powershell 2.0.
can u share the script?
PowerShell is a...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 12:39 pm

#1600125
RE: Time-out occurred while waiting... Reset to device warning

Oh well. I thought it was worth checking, thanks for clarifying. So much for applying a patch in case you were in fact hitting a SQL2000 DB. Follow the advice...
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato

March 24, 2013 at 12:11 pm

#1600123

Viewing 15 posts - 1,441 through 1,455 (of 7,164 total)