5

It's a well known fact that anyone with "SA" privs can turn on xp_CmdShell and use it and that includes any would-be attackers that can gain access to SQL Server as a login that has "SA" privs. There are some very good best practices to help prevent an attacker from "getting in as 'SA'" including disabling the "SA" login but that doesn't prevent an attacker from getting in as a DBA who might have "SA" privs by using any one of a dozen automated password cracking methods.

In my study on the subject, I came across an article at the following URL http://msdn.microsoft.com/en-us/library/ms175046.aspx where I found the following quote:

Because malicious users sometimes attempt to elevate their privileges by using xp_cmdshell, xp_cmdshell is disabled by default. Use sp_configure or Policy Based Management to enable it.

That's actually a pretty useless recommendation so far as I'm concerned. Since malicious users can't actually use xp_CmdShell unless they have "SA" (or Control Server) privs, they'll try to break in as someone with "SA" privs. If they succeed, there is NOTHING that I'm aware of in SQL Server that will prevent them from turning xp_CmdShell on and using it for whatever they need to use it for. Of course, you can limit the damage by throttling back the privs of the logins for the SQL Server Service and the SQL Agent but they can still mess with your server a lot by using xp_CmdShell.

So, the best thing to do would be to make it so that even "SA" prived logins couldn't enable xp_CmdShell. The useful part of the quote above is that you can use "Policy Based Management to enable it", which infers that you can use PBM to disable it, as well.

With that thought in mind, is there a way to use Windows or anything within SQL Server to make it so that even people with "SA" privs can't enable xp_CmdShell? My initial thought is "NO" but I'm definitely NOT a Windows security guru by any means and I'm not even sure what I should be looking for to answer this question.

And, to be honest, I don't care which way it comes out... I just need a definitive answer one way or another.

Thanks for the help, folks. I really appreciate it.

Improve this question
6
  • 2
    Use any other DBMS... Commented May 17, 2013 at 2:33
  • Not a real useful answer, Rook, but I appreciate the effort. Commented May 17, 2013 at 2:59
  • 1
    luckily there isn't down-votes for comments, but seriously now, why would they allow shell access from SQL injection? Seriously, why? Oah Microsoft, why do you eat the glue? Commented May 17, 2013 at 3:50
  • Correct. Good thing we can't downvote comments. ;-) Do you have a useful comment on how to keep someone with "SA" privs from using xp_CmdShell in SQL Server? Commented Jun 22, 2013 at 6:07
  • This is a security forum, why are you entertaining the idea of using something from Microsoft? Do you pay attention to the news? Why would trust a vendor that gives away 0-days in their own product? Commented Jun 22, 2013 at 7:48

1 Answer 1

Reset to default
2

Well, its assumed that if a hacker has admin powers, then it's game over. It is the same for the operating system. As soon as a hacker the root access gain, he can normally do everything.

What used to be possible to do (at least MSSQL 2000) was to drop this store procedure with a command:

exec sp_dropextendedproc 'xp_cmdshell'

and to re-add the xp_cmdshell stored procedure with a command:

exec sp_addextendedproc 'xp_cmdshell', 'xplog70.dll'

You can check this article to more details http://support.microsoft.com/kb/891984

Improve this answer
1
  • 1
    Thanks for the feedback, VP. I appreciate it. I actually saw a demo where they had dropped the xp_CmdShell extended stored procedure. It took milliseconds for the attack software being used to realize it and add it back in. I also saw an interesting demo where what they added back in had nothing to do with the DLL so even (if you could) deleting the underlying DLL won't do it. Doing either also breaks a whole lot in SQL Server. Commented Jun 22, 2013 at 6:25

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.