Technical Article

Remove Exec Permissions To Extended Stored Procs

,

I created this script to simplify the process of restricting access to high risk extended stored procedures. It will find any user or role which has execute permissions on any of the stored procedures in the "#High_Risk_Stored_Procs" temp table and will generate the relevant revoke statements to remove those permissions.

The current list of stored procedures was taken from "SQL Server Security" by Chip Andrews, David Litchfield and Bill Grindlay. But you can easily insert additional stored procs into the "#High_Risk_Stored_Procs" temp table.

To use just change your query results to Text and copy and past the results into a new query window.

N.B. Remember to test this in your development environment first and keep a copy of the revoke script so that you can easily roll back.

-- =================================================
-- Remove Exec Permissions To Extended Stored Procs 
-- =================================================
-- Author: Stevo Smocilac
-- Created: 7 November 2006
-- Version: 1.0

-- Description --
-- This script will find any user or role which has execute permissions on any of the stored procedures in the “#High_Risk_Stored_Procs” temp table and generate the relevant revoke statements to remove these permissions.

SET NOCOUNT ON
Use tempdb
GO
--Create all temp tables
CREATE TABLE #Access_To_Extended_Stored_Procs
(ProcName varchar(255),
Username varchar(255))
GO
CREATE TABLE #High_Risk_Stored_Procs
(Stored_Proc varchar(255) NULL)
GO

--Insert data into the temp tables
--Get a list of all the users which have access to any of the extended stored procedures in the master db
INSERT INTO #Access_To_Extended_Stored_Procs
SELECT master.dbo.sysobjects.name AS ProcName, master.dbo.sysusers.name AS Username
FROM master.dbo.sysobjects 
INNER JOIN master.dbo.sysprotects 
ON master.dbo.sysobjects.id = master.dbo.sysprotects.id 
INNER JOIN master.dbo.sysusers 
ON master.dbo.sysprotects.uid = master.dbo.sysusers.uid 
WHERE     (master.dbo.sysobjects.xtype IN ('X', 'P')) 
AND (master.dbo.sysprotects.protecttype IN ('204', '205'))
ORDER BY master.dbo.sysobjects.name
GO

--Populate the table of high risk stored procedures, you can add new procedures here if required
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OACreate')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OADestroy')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OAGetErrorInfo')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OAGetProperty')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OAMethod ')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OASetProperty ')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_OAStop')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('sp_SdiDebug')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_availablemedia')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_cmdshell')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_deletemail')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_displayparamstmt ')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_dropwebtask')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_dsninfo')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_enumdsn')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_enumerrorlogs')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_enumgroups')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('XP_EnumQueuedTasks')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_eventlog')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_execresultset ')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_fileexist')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_findnextmsg')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_fixeddrives')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_getfiledetails')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_getnetname')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_grantlogin')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_logevent')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_loginconfig')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_logininfo')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_makewebtask')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_msver')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_ntsec_enumdomains')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('XP_PerfSample')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('XP_PerfStart')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_printstatements ')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_readerrorlog')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_readmail')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regaddmultistring')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regdeletekey')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regdeletevalue')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regenumkeys')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regenumvalues')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regread')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regremovemultistring')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_regwrite')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_revokelogin')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_runwebtask')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_sendmail')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_servicecontrol')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_Snmp_GetState')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_Snmp_RaiseTrap')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_sprintf')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_SqlInventory')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_SqlRegister')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_SqlTrace')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_sscanf')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_startmail')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_stopmail')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_subdirs')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_Terminate_Process')
INSERT [#High_Risk_Stored_Procs] ([Stored_Proc]) VALUES ('xp_unc_to_drive')
GO

--Join the data from the two temp tables and create the revoke script
use [master]
GO
SELECT 'use [master]
'+'REVOKE EXECUTE ON [dbo].['+#High_Risk_Stored_Procs.Stored_Proc+'] TO ['+#Access_To_Extended_Stored_Procs.Username+']' +'
GO'
FROM#Access_To_Extended_Stored_Procs 
INNER JOIN #High_Risk_Stored_Procs ON #Access_To_Extended_Stored_Procs.ProcName = #High_Risk_Stored_Procs.Stored_Proc 

--Cleanup temp tables
Drop table #Access_To_Extended_Stored_Procs
Drop table #High_Risk_Stored_Procs
GO

Rate

5 (1)

You rated this post out of 5. Change rating

Share

Join the discussion and add your comment

Share

Rate

5 (1)

You rated this post out of 5. Change rating

Related content

SQLServerCentral Article

Harnessing SQL Server Metadata- Disabling and Rebuilding Indexes

When doing bulk data changes it may be beneficial to disable indexes prior to starting the operation. Fortunately, SQL's rich metadata makes this very easy to automate in a robust fashion.

4.92 (12)

You rated this post out of 5. Change rating

2018-05-18 (first published: )

4,787 reads

Technical Article

Query to Display Trigger Status

Ever wanted to know whether your triggers are enabled or not? The ObjectProperty command allows you to select information about the status of objects in your database, returning 1 for True and 0 for False. The example below determines whether a single trigger is disabled. SELECT ObjectProperty(object_id('Trigger_Name'), 'ExecIsTriggerDisabled') There are a number of other useful […]

5 (1)

You rated this post out of 5. Change rating

2001-10-28

1,196 reads