Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
X002548
Not Just a Number
15586 Posts |
|
|
Bustaz Kool
Master Smack Fu Yak Hacker
1834 Posts |
Posted - 2011-05-18 : 19:44:52
|
| xp_cmdshell lets you run things at the OS level but needs a security context to operate in when at the OS level. If, at the SQL level, you are a sysadmin, you run, at the OS level, with the same rights as the SQL Service. If you are not sysadmin at the SQL level, you run, at the OS level, with the rights of the proxy account; in effect xp_cmdshell "logs into the OS" using the proxy account user and password. The proxy account is strictly an OS level concept.You still need to enable the use of xp_cmdshell; otherwise, SQL won't allow anyone to invoke it, including sysadmin. Having enabled xp_cmdshell, the non-sysadmin user still needs to be granted SQL rights to execute XP_cmdshell. sysadmin users don't need to be granted rights because they are sysadmin and will do whatever the heck they want, thank-you very much.=======================================Elitism is the slur directed at merit by mediocrity. -Sydney J. Harris, journalist (1917-1986) |
 |
|
|
X002548
Not Just a Number
15586 Posts |
|
|
Bustaz Kool
Master Smack Fu Yak Hacker
1834 Posts |
Posted - 2011-05-19 : 11:29:19
|
| The proxy account is a Windows only concept; it has nothing to do with SQL or SQL Logins.(I hope this next part doesn't sound condescending; I'm simply trying to clarify things by stating what you already know)Before you can use Windows, you need to login to the OS; just like you do every morning when you arrive at work. Based on the login, you get certain rights under Windows. Windows Administrators, for instance, can do more things than a normal user.When xp_cmdshell is invoked, it "logs into Windows" (just like you do when you arrive at work) and gets a defined set of resources (disk drives, read/read-write, etc.). It doesn't log into Windows as you; instead it either uses the SQL Service Account or the Proxy Account. The proxy account defines the Windows Login and Password to use when it "logs into Windows" and the SQL User is not a member of SQL sysadmin.=======================================Elitism is the slur directed at merit by mediocrity. -Sydney J. Harris, journalist (1917-1986) |
|
|
|
X002548
Not Just a Number
15586 Posts |
|
|
Bustaz Kool
Master Smack Fu Yak Hacker
1834 Posts |
Posted - 2011-05-19 : 12:41:11
|
| In re: what a mangement nightmareAgreed. I believe the thinking is that there should be a severely limited "special" Windows account that would be used as the proxy and have a non-expiring password. Under this, if security was ever breached at the SQL level, the xp_cmdshell could not be used to give carte blanche to the rest of the system.=======================================Elitism is the slur directed at merit by mediocrity. -Sydney J. Harris, journalist (1917-1986) |
|
|
|
|
|
|
|
|
sp_xp_cmdshell_proxy_account