Please start any new threads on our new
site at https://forums.sqlteam.com. We've got lots of great SQL Server
experts to answer whatever question you can come up with.
| Author |
Topic |
|
juanb007
Starting Member
1 Post |
 Posted - 2009-07-21 : 21:54:09
|
| Hi,I am helping a client of mine to prepre to a IT sox audit. in there last IT AUDIT made by PWC they check the sql server which is where peoplesoft stores the Database. in the audit they find that many stored procedores are used, here is the list:• sp_replcmds• sp_replcounters• sp_repldone• sp_replflush• sp_repltrans• xp_cmdshell• xp_deletemail• xp_dirtree• xp_eventlog• xp_findnextmsg• xp_fixeddrives• xp_getfiledetails • xp_getnetname• xp_loginconfig• xp_readmail• xp_regaddmultistrin• xp_regdeletekey• xp_regdeletevalue• xp_regread• xp_regremovemultistring• xp_regwrite• xp_sendmail• xp_servicecontrolmy question is: it this bad from the SOX point of view? what can be done to fix this issue?I have asked the IT manager and he said that if there removing of those store procedures wont couse any problem to people soft he can remove them but is it necessary ?another issue related to the sql database: the permissions to the database procedures are as followed:Procedure Name:sp_add_jobsp_add_jobschedulesp_add_jobserversp_add_jobstepsp_enum_dtspackagessp_get_dtspackagesp_get_sqlagent_propertiessp_start_joball those procedures have permissions of execute and the user how can execute them is user public.it it bad? ok? what can I do to fix it?thanks a lot !!juan |
|
|
russell
Pyro-ma-ni-yak
5072 Posts |
Posted - 2009-07-21 : 22:28:11
|
| All of the sp_repl* procs are ok and in fact needed if you're using replication.most of the xp_* can and should be disabled (especially xp_cmdshell), or at the least make sure only sysadmin can execute.public should not have access to any of the sp in your final list |
 |
|
|
|
|
|
Sql stored procedures-security problem?