Security Problem Running Xp_cmdshell From Non-sa Account
Dec 17, 1999
Our system is MS SQL Server v7 and NT 4. We have a stored procedure that exec's xp_cmdshell to run an external program located on the server. When a user who has 'sa' rights runs this stored procedure it works fine. When a 'non-sa' user (via the "BuiltinUsers" NT account) runs it, xp_cmdshell produces the following error:
Msg 50001, Level 1, State 50001
xpsql.c: Error 1385 from LogonUser on line 476
Is there an NT security or SQL Server setting I've overlooked that can be changed to allow non-sa users to xp_cmdshell programs?
n.b. The BuiltinUsers account does already have execute permission on the xp_cmdshell procedure.
View 3 Replies
ADVERTISEMENT
Mar 2, 2004
Hi all, i hope you can help me.
Basically a dts package has been setup that pulls in data from another companies server, this data requires to be on-demand i.e individual users can pull in updates of the data when they require it.
I am using xp_cmdshell and dtsrun to pull in the data. This obviouly works fine for me as i am a member of sysadmin.
Books online quotes " SQL Server Agent proxy accounts allow SQL Server users who do not belong to the sysadmin fixed server role to execute xp_cmdshell"
So i went to the SQL Server Agent Properties 'Job System' tab and unchecked 'Non-sysadmin job step proxy account' and entered a proxy account.
The proxy account has been setup as a Windows user with local administrator privilages and even a member of the sysadmin server role - just in case.
Now when i log onto the db with my test account - a non-sysadmin - and attempt to run the stored proc to import the data i recieved the message 'EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo' '
hmm... so basically i have either misunderstood BoL or there is something not quite right in my setup.
I have search the net for a few days now and yet i can find no solution.
Can anyone help?
View 2 Replies
View Related
Apr 22, 2008
Im having trouble getting xp_cmdshell to work after we changed the service account for our sql server. It was working perfectly before - so i know that execute permissions have been granted, and that we have a credential set up properly.
I have read that I need to ensure the service account has permissions to 'act as opertaing system' and 'replace a process level token'. I have granted these rights in the local security policy as well.
However, I still get :
A call to 'CreateProcessAsUser' failed with error code: '1314'.
Do I need to restart the service? Or the whole server? Or have I missed something else?
Any help will be much appreciated.
View 1 Replies
View Related
Oct 4, 2007
Re: SQL Server 2005
Does the xp_cmdshell proxy account need admin-level permissions on the server?
The reason I ask this is because I keep getting "Access is Denied" errors when trying to run this command as a non-admin:
master..xp_cmdshell dtexec 'some package'
The 'some package' has an "execute process task" which calls a batch file on the server.
If the proxy account is NOT a local admin, the "execute process tasks" fails with an "Access is Denied" error.
If the proxy account is a local admin, it executes fine.
We have given "Everyone" FULL CONTROL of all the folders that are affected by the batch file, and it still does not work.
I am out of ideas at this point. It just does not work unless it's an admin.
Are we missing something here?
View 7 Replies
View Related
Jan 26, 2007
Hi,
I have a least privileged SQL Login €œClient€? and have granted execute rights on XP_Cmdshell SP at master db. When I execute master.. XP_Cmdshell €˜dir€™ I€™m getting the below error.
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.
Please note it is SQL Login account and not windows account. I have checked everywhere for similar problem and no luck.
Thanks for you help in advance
With regards
GK
View 1 Replies
View Related
Jun 15, 2004
Hi all,
Pls let me know how to run xp_cmdshell command for a user who does not belong to sysadmin role.
Rgds
Srinivas varanasi
View 1 Replies
View Related
Sep 27, 2000
To try to secure an outside web application we set up a user that
only has permission to execute a series of stored procedures that are
related to the appliation. Unfortunately a couple of those stored
procedures have to access system resources outside SQL Server so we
are using a call to xp_cmdshell from inside the stored procedure
SQL Server apparently won't let us do that unless we give our
restricted user (who is calling the initial stored procedure) execute
permission on xp_cmdshell. This, of course, negates most of the benefit
of setting up a restricted user. Is there some simple way I am missing
of running xp_cmdshell from inside s stored procedure without the user
calling the stored procedure having execute permission on xp_cmdshell?
View 1 Replies
View Related
Nov 10, 2005
I have a stored procedure that creates an xml file. It executes a SELECTstatement with the FOR XML clause and then writes the xml file using bcp andxp_cmdshell. I am calling this procedure by passing it a parameter via ADO.I have configured the SQL Server Agent with a proxy account so non-SysAdmincan execute xp_cmdshell.I'm concerned about giving non-SysAdmins execute on xp_cmdshell. I'm alsoconcerned about having to maintain the password on my proxy account whenthat users' password changes.Is there a better, more secure way to generate this xml file.Thanks
View 7 Replies
View Related
Jan 15, 2008
I am trying to run the following set of commands on our SQL 2005 SP2 server:
declare @cmd varchar(1000)
select @cmd = '%SystemRoot%system32cscript.exe %SystemRoot%system32iisvdir.vbs /create TestSite testvirtualdir C:Inetpubwwwrootfiles'
exec master..xp_cmdshell @cmd
The objective is to programmatically create an IIS virtual directory from within a stored proc. I already have a proxy account configured using the sp_xp_cmdshell_proxy_account proc. The SQL server is a member server to a domain and the proxy account is a member of Domain Admins (per iisvdir.vbs requirement). When I login to the server as the proxy account and run the dos command in a window it executes just fine. However, the above SQL statements result in the following in server management studio:
"You cannot run this command because you are not an administrator on the server you are trying to configure."
If the xp_cmdshell runs under the proxy account, and the proxy account has been verified to be able to login and run the script independently, what gives?
Edit:
Just to make sure the proxy account was setup properly, I used the following cmd
select @cmd='set'
and it's results set shows
USERNAME=sqladmin
which is indeed the name of the proxy/windows account that I can run the dos script under when logged into windows...
View 5 Replies
View Related
May 24, 2000
Hi everybody,
I am getting an error while running the XP_CMDSHELL 'NET USER /DOMAIN'.
But when I run the same command for sp_cmdshell 'net user' it works fine. It giving me the local users that are available on the my local pc. But now i want the domain users on my network which is not working with the xp_cmdshell..
Thanks in advance......
View 1 Replies
View Related
Feb 9, 2007
I have created a job that runs this code:
exec master..xp_cmdshell 'D:Trace_outputAuto_perfmonAutoperfmon.bat'
This runs fine as long as I place the counter.txt file in the windowssystem32 dir.
The bat file has this code:
typeperf -cf counter.txt -o D:Trace_outputAuto_perfMonautoperf
This starts without any issues and i see typeperf.exe in the taskmanger.
The question i have is how can i stop this without having to go into taskmanager and killing typeperf.exe?
thanks for your time
View 1 Replies
View Related
May 2, 2008
If possible, in both platforms, 2000 and 2005.
---
http://www.ssisdude.blogspot.com/
View 2 Replies
View Related
Jul 23, 2005
I am getting the following error when running a command in QueryAnalyzer.Msg 50001, Level 1, State 50001xpsql.cpp: Error 5 from CreateProcess on line 675Here is the command that I am running that generates this errormessage:xp_cmdshell "@ECHO test message > c: empewtemp.txt"The command inside the xp_cmdshell command runs successfully from aWindows command prompt. Simpler commands also fail with the same errormessage. For example:xp_cmdshell 'dir'Can anyone suggest a solution to this problem? I assume this problem isdue to a permissions/security issue. I have given Everyone Full Controlover c: emp.Windows 2000SQL Server 2000Thanks for any help.
View 4 Replies
View Related
Oct 18, 2015
Is there any possibility to schedule SQL job execution as Windows Security Group? I need to run powershell script through SQL job with one of this group member's permissions.Â
View 4 Replies
View Related
Feb 1, 2001
I executed xp_cmdshell command.
More than 24 hours this process still running.
I tried killing this process with enterprise manager and query analyser, both
gave me a message saying its successfully killed. But when i do a sp_who,
the process still their executing.
how can I kill this process that's running xp_cmdshell
thanks
View 1 Replies
View Related
Feb 26, 2005
can any 1 give info on "Security Account Delegation"
thanks in advance
View 1 Replies
View Related
Jul 4, 2007
Hi,I created a user account on my active directory service. I then triedto assign a service located on my SQL server to be executed by thisaccount. However, when I try to configure my SQL server service, Iget the following error message:WMI Provider Error"No mapping between account name and security ID was done"Do you know what I am doing wrong?thanks
View 1 Replies
View Related
Aug 6, 2007
By default does CLR code run under the SQL Service Server account or the SQL Agent Service Account? Does anybody have a link to BOL or MSDN???
My assumption is its under SQL Server Service Account.
I'm trying to satisfy the DBA's security concerns in regards to CLR Code. If the account it runs under (Agent or service) has zero privliges will a dba still be able to maintain the server? Wouldnt all their backups work under a privilaged account that isnt the SQL Server Service Account?
Double posted in security.
View 6 Replies
View Related
Oct 28, 2015
Can you use a SQL service account (domain account) on two different SQL instances?
Can you set the SPN for both clusters instances with the same account?
View 3 Replies
View Related
Oct 22, 2006
Hi world,
I have a question, but first I need to give you some background:
My network works with Active Directory on Windows 2000, and I have web servers running on windows 2003 and SQL Servers 2000 running on Windows 2003.
I wanted to enable account delegation and I found a bunch of information.
Everything seemed "easy", but I tried to test it first on my test servers anyways and this is what happened:
We created the SPN for the SQL Server
Account is trusted for delegation check box was selected for the service account of SQL Server.
Account is sensitive and cannot be delegated check box was not selected for the user requesting delegation.
But when we checked the box Computer is trusted for delegation (and only this box !!) in the server running an instance of SQL Server 2000, the role of this server changed magically (just like this guys, it was magic) from "server" to "Domain Controller".
We were intrigued about this change, but we "trusted" the white paper that we had in front of us.
http://support.microsoft.com/kb/319723
After some hours, the production web servers (of the whole network) and many workstations stopped working:
The IIS on this web servers will show an empty list of websites
The network and dial-up connections were missing on the web servers and also on the workstations.
The web servers and the workstations affected were "isolated" from the network, the command ping was not finding any of this computers.
Anyway, it was a nightmare, it took a while to fix the mess, we reverted the changes in Active Directory, and this makes me thing that the magical "promotion" of the SQL server to Domain Controller had to do with all this.
the questions is:
Do you have an idea about what could have caused all this? I mean, I still need to enable this account delegation thing. But I would like to know first if someone has done it before in a similar environment or if someone has run into one of the problems described before.
Thanks world.
View 3 Replies
View Related
Apr 26, 2007
Hi experts,
Is there any potential security threat using Proxy accounts in SQL Server 2005 ? If any , Please give URLs for reference.
Thanks,
DBLearner
View 3 Replies
View Related
Oct 25, 2007
Hey Everyone,
I am testing restoring databases on another SQL 2005 server in out environment using HP data protector 5.5 and its great. However, I notice that the security login accounts do not get restored. If this is the case how do I go about getting accounts restored? Also, are there any other options?
Cheers,
Mark
View 3 Replies
View Related
Jun 7, 2006
I received the following when trying to deploy an 2005 analysis services package over an existing database:
The following system error occurred: No mapping between account names and security IDs was done.
We have redeployed this solution several times over the last week and have never encountered this error. The changes that we are deploying are related to partitioning of the measure group fact tables - and are not related to security in any way. Can someone assist?
View 1 Replies
View Related
Jul 10, 2006
Hello,
I need to allow SQL server 2005 to open a file in a shared directory. Any assistance or help will be greatly appreciated!
View 10 Replies
View Related
Jun 27, 2006
VS2005Hi
If I run the below code (this simply connects to SQL Server and returns the user name the connection is made under): Dim Connection As New SqlConnection(System.Configuration.ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString)
Dim AttCommand As New SqlCommand("SELECT System_USER", Connection)
Connection.Open()
Dim AttendanceReader As SqlDataReader = AttCommand.ExecuteReader
AttendanceReader.Read()
Debug.Print(AttendanceReader.Item(0).ToString)I get:
MyDomainpootle.flump
Which is the account I am running on the dev machine. I expected ASP.Net to run as ASPNET irrespective of the currently logged in account. Am I plain wrong? Do I need to change something in IIS? Do I need to change something in ASP.Net?
Any help greatly appreciated
Thanks
View 3 Replies
View Related
Dec 19, 2001
Hi everybody.
Need help with secuity
1. SQLAgent servive = domainMy_local_admin
2. Job created
Ownner: domainSQLDBA
step1
exec sp_Who2
step2
Run DTS
a)Connect to ANOTHER_SQL_SERVER USING windows authentication
b) truncate table xxx
3. Run daily every 1 hr
1. Who will run job, domainMy_local_admin or domainSQLDBA ?
2. What account will be used to connect to ANOTHER_SQL_SERVER in step2
thank you
View 1 Replies
View Related
Feb 28, 2007
Hi There
When i go to configuration manager and change the sql server service to run as a domain account i get the following error:
No mapping between account names and security IDs was done.
This is Sql Server Express running on a domain controller - Windows Server 2003 R2.
Everything i find ont he net refer to IIS, DHCP etc etc , i cannot find the issue regrading sqls server configuration manager.
Thanx
View 13 Replies
View Related
Oct 25, 2007
Hello all;
I am trying to form a replication system but at the very beginning i couldn't pass an obstacle.
While trying to create the Replication it says i have to change the user which starts the SQL Agent because the current starter user account is a system account and this will make the replication between servers fail.
"SQL Server Agent on OZN currently uses the system account, which causes the replication between the servers fail. In the following dialog box, specify another account for the service startup account."
I change it in the properties dialog box of the SQL Server Agent. The new account is the one I formed and granted accordingly. But it gives the following error when I try to apply the changes.
" Error 22042: xp_SetSQLSecurity() returned error -2147023564, 'No mapping between account names and security IDs was done' "
I tried many things, searched in the net, changed the owner of the database, applied new accounts, many grants, applied service pack 4, etc...
If anyone helps it will be very much appreciated. Thanks in advance...
View 3 Replies
View Related
Aug 26, 2015
Our software vendor rep is trying to upgrade MS SQL server 2008 SP4 to 2012 SP1. Get an error message: no mapping between account names and security ADs was done. He says that we get this error message because we have two domain controllers in our network, and one is running on the same windows server that run sql server. Out IT support disagrees to delete the second domain controller, saying it is recommended by Microsoft and he suggests that the problem is in Active directory.
View 2 Replies
View Related
May 29, 2007
I'm trying to install SQL Server 2005 Express on a Windows 2000 server, but I'm getting the following error message:
"Failure setting security rights on user account SQLServer2005BrowserUser${computerName}"
Can anyone help me please?
View 1 Replies
View Related
Jul 23, 2015
Without going to services.msc / configuration manager, is there anyway to know the service account through which SQL server is running?
View 6 Replies
View Related
Apr 28, 2006
Hi
Using SQL Server 2005 with SP1, I have successfully managed to schedule jobs to run SSIS packages. They connect to another SQLServer 2000 box, using SQLOLEDB connection manager, to extract data and import it into SQL 2005. The protection level for the packages is Server storage so that the job is run under the SQL Agent account. This is a specific domain account so that it can access other servers.
However, using the same setup for a scheduled job to to run an SSIS package which connects to another SQL Server 2000 box with connection manager SQL OLEDB, I get the following error message:
The AcquireConnection method call to the connection manager "xxx" failed with error code 0xC0202009.
As the both the successful and failed jobs seem to have been set up in the same way with the same protection levels and are both run under a domain sql agent account, is there anything else I should be checking that I don't know about?
Any help is much appreciated!
View 3 Replies
View Related
Nov 15, 2007
Hello,
I am totally confused by what account I should be running my sql server database and my business layer service as.
I take it that when installing sqlserver and my service that I should be logged in as administrator.
Should I be using "Local Service", "Local System" or "Network Service" to run these processes as?
Summary of my business layer service
* Clients connect to this service on a tcp/ip port
* It accesses the file system
* it connects to the database
Thanks,
JP
View 4 Replies
View Related
