|
-
SQL - xp_fileexist......
It is my understanding that if xp_fileexist is granted 'Public' then a normal user can use it to cause the SQL server to initiate connections to remote machines. One will have the same rights and permissions as whichever NT account is configured to start SQL server. This account is generally either an administrator or system account. In either case, a substantial risk is posed if the extended procedure is not locked down to not allow non-sa users to execute it.
Is the statement above accurate for SQL 2005? I know it was the case for SQL 2003. Can someone please confirm that this is still a risk with '05?
Thank you.
-
Works same way in sql2k5, sql runs it under sql service account for user has sysadmin rights. For users without sysadmin rights, you can set proxy account for them.
-
..
thanks...so would you say that this is a significant or small risk?
-
Depends on company's security requirement. Non-sysadmin can't check files but sysadmin maybe, does your system guys happy with that?
-
Im confused.
I thought that since Public has full access it is anyone that would be able to do this>???
-
Sql runs it under sql service credential for sysadmin and local for non-sysadmin, everyone can run it doesn't mean everyone can access remote file.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote