Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


Tip of the Day
Language: Enterprise
Expertise: Intermediate
May 10, 1999

Lock the Back Door Too

An extended stored procedure called xp_cmdshell causes SQL Server to spawn a command shell and execute the command given as a parameter. For example, xp_cmdshell 'dir c:\mssql\backup' would return a listing of the files in the backup directory. In general, this utility is useful for administrators. What you must be aware of is that the command executes with the privileges of the account under which SQL Agent executes. Since this account is typically a member of the administrator group, a user could wreak tremendous havoc ("I didn't realize that format c: would cause any problems! Really!").

To limit this command to administrators, Right click on the SQL Server Agent Icon in Enterprise Manager and choose "properties" from the menu. Choose the job system tab. At the bottom there will be a checkbox next to text that reads "Only users with Sysadmin privileges can execute CmdExec and ActiveScripting jobs here." Make sure the checkbox is filled in.

Joseph Lax
 
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap