patternsqlMinor
Execute xp_cmdshell as a non-windows user
Viewed 0 times
nonuserxp_cmdshellwindowsexecute
Problem
So I have a bunch of database users who should be able to execute a procedure with a call to xp_cmdshell. They are not windows domain accounts, they are just sql-server logins. I want to do it using a proxy
I have a special windows-domain account for it, to whom I granted xp_cmdshell execution rights. I can successfully execute cmdshell using this account. I created the proxy account using the following command:
When I try to execute any xp_cmdshell command as a database user with no xp_cmdshell rights an error appears:
My question is - can I execute a xp_cmdshell command using an sql server login and I am simply missing something here or is it only possible using a domain account? Is there any other procedure to follow here to make it happen?
If I fail to make the above work I will have to switch some logic to a CLR procedure, but I am determined to make it work.
I am using sql-server 2012. Any help will be appreciated, thanks!
##xp_cmdshell_proxy_account##. I am aware of security threats that it may bring. I cannot use 'WITH EXECUTE AS admin' due to our company inner version control and I obviously do not want to grant all of the users rights to execute xp_cmdshell, that is why my only choice (am I right here?) is using the proxy account.I have a special windows-domain account for it, to whom I granted xp_cmdshell execution rights. I can successfully execute cmdshell using this account. I created the proxy account using the following command:
EXEC sp_xp_cmdshell_proxy_account [my_domain\special_account],'SuperSecretPassword'When I try to execute any xp_cmdshell command as a database user with no xp_cmdshell rights an error appears:
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.My question is - can I execute a xp_cmdshell command using an sql server login and I am simply missing something here or is it only possible using a domain account? Is there any other procedure to follow here to make it happen?
If I fail to make the above work I will have to switch some logic to a CLR procedure, but I am determined to make it work.
I am using sql-server 2012. Any help will be appreciated, thanks!
Solution
You can use a SQL Server login.
The following procedure is explained in MSDN:
To allow non-administrators to use xp_cmdshell, and allow SQL Server
to create child processes with the security token of a less-privileged
account, follow these steps:
Note You can also configure this proxy account using SQL
Server Management Studio by right-clicking Properties on your server
name in Object Explorer, and looking on the Security tab for the
Server proxy account section.
database, execute the GRANT exec ON xp_cmdshell TO ''
statement to give specific non-sysadmin users the ability to execute
xp_cmdshell. The specified login must be mapped to a user in the
master database.
The following procedure is explained in MSDN:
To allow non-administrators to use xp_cmdshell, and allow SQL Server
to create child processes with the security token of a less-privileged
account, follow these steps:
- Create and customize a Windows local user account or a domain account with the least privileges that your processes require.
- Use the sp_xp_cmdshell_proxy_account system procedure to configure xp_cmdshell to use that least-privileged account.
Note You can also configure this proxy account using SQL
Server Management Studio by right-clicking Properties on your server
name in Object Explorer, and looking on the Security tab for the
Server proxy account section.
- In Management Studio, using the master
database, execute the GRANT exec ON xp_cmdshell TO ''
statement to give specific non-sysadmin users the ability to execute
xp_cmdshell. The specified login must be mapped to a user in the
master database.
Context
StackExchange Database Administrators Q#146274, answer score: 3
Revisions (0)
No revisions yet.