by Jeff Moden
by Jeff Moden
17 years experience working with SQL Server
Mostly Self Taught
One of Leading Posters on SQLServerCentral.com
More than 32,000 posts (heh … some are even useful)
30+ articles on the “Black Arts” of T-SQL
http://www.sqlservercentral.com/Authors/Articles/Jeff_Moden/80567/
Member since 2003
SQL Server MVP 2008 thru 2013
Winner of the Red Gate “Exceptional DBA” award for
2011
Sr. System/Application DBA, Data Architect, and SQL
Mentor for Proctor Financial, Inc.
SQL Server is both my profession and my hobby
(Yeah, I know… I need to get a life ;-)
Disabling xp_CmdShell... Is it Really a "Best Practice"?
3
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
XP_CmdShell is a powerful tool that can greatly simplify the life of DBAs.
You can quickly and easily write full ETL systems, up/down-load FTP files, call
PowerShell scripts to interrogate the status of hard-disks across the enterprise with nary a 3 rd party tool in sight, and much more.
And it can all be done under the control a scheduled job system that you already know and that keeps its own logs.
Yet, you'll find millions of people that agree that disabling xp_CmdShell is a best practice. Some even say that it should never be used. Why? Disabling it supposedly decreases the system "surface area" of possible attack and never using it supposedly solves the problem of someone elevating their privileges with it.
Well, surprise! Disabling xp_CmdShell doesn't actually solve any of those problems. In fact, disabling it may actually hurt security.
Come to this session to find out why turning off xp_CmdShell may be a "worst practice" and how to allow individuals/applications to run it safely.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
5
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Began search for White Papers to show why having xp_CmdShell enabled was a bad idea.
Found WPs but none of the “official” documentation ever said “Don’t use it”.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
6
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Example White Paper
http://download.microsoft.com/downl oad/8/F/A/8FABACD7-803E-40FC-
ADF8-
355E7D218F4C/SQL_Server_2012_Se curity_Best_Practice_Whitepaper_Ap r2012.docx
Disabling xp_CmdShell... Is it Really a "Best Practice"?
7
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
“xp_CmdShell” found in 4 places in that reference…
“xp_cmdshell availability”
“xp_cmdshell - executes a command in the underlying operating system”
“Disable xp_cmdshell unless it is absolutely needed .”
Disabling xp_CmdShell... Is it Really a "Best Practice"?
8
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
th
“Because some system procedures interact with the operating system or execute code outside of the normal SQL Server permissions, they can constitute a security risk. System stored procedures such as xp_cmdshell or sp_send_dbmail are off by default and should remain disabled unless there is a reason to use them . In SQL Server 2005 and above, you no longer need to use stored procedures that access the underlying operating system or network outside of the SQL Server permission space. SQLCLR procedures executing in EXTERNAL_ACCESS mode are subject to
SQL Server permissions, and SQLCLR procedures executing in
UNSAFE mode are subject to some, but not all, security checks. For example, to catalog a SQLCLR assembly categorized as
EXTERNAL_ACCESS or UNSAFE, either the database must be marked as TRUSTWORTHY (see Database Ownership and Trust) or the assembly must be signed with a certificate or asymmetric key that is cataloged to the master database. SQLCLR procedures should replace user-written extended stored procedures in the future.”
Set a database to TRUSTWORTHY? You CAN’T be
SERIOUS!!!
Disabling xp_CmdShell... Is it Really a "Best Practice"?
9
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
“Use only if needed”?
If disabled, who can turn it on?
Can an attacker turn it on?
Am I depriving myself, as a DBA, of a great tool?
Considering the “ use only if needed ” recommendation, what does it buy me to turn it off?
Is there any reason why it couldn’t be turned on and left on?
WHAT IS THE REAL RISK???
Disabling xp_CmdShell... Is it Really a "Best Practice"?
10
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Define the Problem
Analysis
What if xp_CmdShell is Disabled
What if xp_CmdShell is Enabled
Other Concerns
Conclusion
Enable Stored Procedures to Safely
Use xp_CmdShell
Setup Procs to Work with xp_CmdShell
Avoid “DOS Injection”
Q’n’A
Disabling xp_CmdShell... Is it Really a "Best Practice"?
11
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
I left out the Hypothesis and
Prediction parts because I wanted to eliminate any preconceived notions that I may have had about the use of xp_CmdShell.
I also left out most of the “Testing” step because it’s all been tested and very well documented in Books
Online and other documents.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
13
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Given #1:
The overwhelming recommendation accepted by more of the world than not is to disable xp_CmdShell for reasons of security. To wit, it is currently considered to be a "best practice".
Given #2: xp_CmdShell is an incredibly powerful and flexible tool that allows DBAs and master developers to write stored procedures and jobs to quickly and easily resolve many common DBA, reporting, ETL, and other tasks.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
14
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Master Question:
Does disabling xp_CmdShell provide any layer of extra security?
If it does, then it might be a “Best
Practice”.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
15
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Ancillary Question #1:
Does enabling xp_CmdShell and leaving it enabled provide any security DISadvantage?
If it doesn’t, then disabling it might not be a “Best Practice”
Disabling xp_CmdShell... Is it Really a "Best Practice"?
16
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Ancillary Question #2:
Which is better?
Disabling it and never using it?
Enabling it only when needed and then disabling it, again?
Enabling it and leaving it enabled?
Note that I didn't identify what "better" means in this question because I didn't want to limit any discoveries.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
17
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q1: IF xp_CmdShell is DISABLED, who can use it?
A1: No one. It must be ENABLED in order to use it.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
19
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q2: Who can enable xp_CmdShell?
A2: Only someone with “SA” or
“Control Server” privs.
These may be system logins, application logins, logins that are members of groups with the priv, or individual logins.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
20
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q3: Does disabling xp_CmdShell prevent logins with "SA" privs from enabling it?
A3: No.
Any login that can gain access to the server with "SA" privs can enable xp_CmdShell including any attacker, either internal or external.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
21
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q4: In reference to Answer #3, if an attacker does gain access to the system through a login having "SA" privs, does having xp_CmdShell disabled provide any level of extra security?
A4: Yes… but it appears to be trivial in nature.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
22
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Once an attacker has gained access to the server with "SA" privs, the "attack software" being used takes less than 3 milliseconds to test its state and enable it (witnessed during a "Hacking
SQL Server" demonstration).
A "manual attack" (which I did myself) took only seconds more to enable it.
There was nothing that prevented enabling it by any login that has "SA" privs.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
23
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q5: Does having xp_CmdShell disabled provide any security advantages?
A5: Yes but, again, it's trivial in nature.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
24
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Enabling xp_CmdShell does do some very minimal logging to trace the event but an attacker will likely break in either as a system login (usually "SA"), via some application login, or as a human login registered on the server.
In any case, it's not at all likely that the attacker will break in as him/her self so there is no reliable "conviction" path to correctly identify the actual perpetrator.
To wit, the logging being done when xp_CmdShell is enabled appears to be of no use other than providing written post-mortem testament that security is bad and that the server has already been attacked.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
25
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q6: Will deleting/renaming either the xp_CmdShell extended stored procedure or the related DLL prevent the use of xp_CmdShell?
A6: No.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
26
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
I was really surprised at the answer to this one. During the same
"hackers" dog'n'pony show previously mentioned, I witnessed the hacker implementing his own version of xp_CmdShell, which didn't even require the use of the DLL that xp_CmdShell uses. I won't post the code here but it was incredibly simple to do.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
27
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q7: Can an attacker with “SA” privs get to the Command System (CMD) without using xp_CmdShell at all?
A7: Yes
Self deleting job with CmdExec task.
OPENROWSET with “/c CMD”
Note that the OPENROWSET method requires a simple registry hack using xp_RegWrite that I’m not going to demonstrate for obvious reasons.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
28
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q8: Is there a way to limit the amount of damage that someone with "SA" privs can do from SQL
Server at the Command Line whether it be accidental or malicious in nature?
A8: Yes.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
29
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Limit the privs that the SQL Server Service and the
SQL Agent Service logins have been assigned.
Reference: SQL Server 2012 Security Best Practices
- Operational and Administrative Tasks
Author: Bob Beauchemin, SQLskills
Technical Reviewers: Darmadi Komo, Jack Richins,
Devendra Tiwari
Published: January 2012
Link:
http://download.microsoft.com/download/8/F/A/8FAB
ACD7-803E-40FC-ADF8-
355E7D218F4C/SQL_Server_2012_Security_Best_Pra ctice_Whitepaper_Apr2012.docx
There IS another way that we’ll talk about in a minute but I haven’t tried it, yet.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
30
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
No one can use xp_CmdShell if it is disabled but…
“SA” prived logins can turn it on.
ONLY “SA” prived logins can use it.
ONLY the people that can use it can turn it on.
An attacker that gets in as “SA” doesn’t have to use xp_CmdShell to cause extremely grave damage, but could enable it and use it.
Logging of the xp_CmdShell enabling event is trivial and does not provide a clear conviction path.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
31
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Master Question:
Does disabling xp_CmdShell provide any layer of extra security?
Answer:
Other than trivial logging, NO, it does not.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
32
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q9: If xp_CmdShell is enabled, who can use it?
A9: Only logins that have been granted or implicitly have "SA" privs or “proxy” logins.
Giving non-”SA” users privs to execute xp_CmdShell directly is a huge security problem because of elevated privs. Don’t do it!
Disabling xp_CmdShell... Is it Really a "Best Practice"?
34
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q10: Does enabling xp_CmdShell change the rules as to who can use it according to Answer #9?
A10: Yes but it’s a trivial change.
If xp_CmdShell is disabled, the logins that can turn it on are the same logins that can use it (those with "SA" privs).
The exception is those logins that have been granted usage by proxy. Such logins are unable to enable xp_CmdShell if it's in a disabled state because they aren't setup with "SA" privs.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
35
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q11: Does enabling xp_CmdShell offer any substantial security
DISadvantage over it being disabled?
A11: Apparently not. Anyone with
"SA" privs can use xp_CmdShell whether it's enabled or not because it’s a trivial task to re-enable it.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
36
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q12: Considering the answers for questions 1 through 11, are there any advantages to having xp_CmdShell disabled as opposed to enabling it and leaving it enabled?
A12: Apparently not.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
37
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Whether xp_CmdShell is enabled or not, anyone with
"SA" privs and ONLY those with "SA" privs can enable xp_CmdShell and/or use it (provided the proxy mistake has not been made).
Only company policy would provide "prevention" of its use by internal users and ONLY if a system were set up to check if xp_CmdShell is enabled. That would require some regular audit system to examine the SQL
Server logs AND that the "SA" (person enabling xp_CmdShell) didn't delete the entry from the log, which they could very easily do in an undetectable manner.
Even then and as previously identified, there are methods to get to the Command Line without it that aren't logged at all (and that's a key point). All of those alternate methods are available to every login that has
"SA" privs.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
38
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Ancillary Question #1:
Does enabling xp_CmdShell and leaving it enabled provide any security DISadvantage?
Answer:
Apparently not.
Having xp_CmdShell enabled offers no more of a security DISadvantage than having it disabled. It would appear that the key to security has nothing to do with whether xp_CmdShell is enabled, disabled, or even deleted. It would appear that the real key is to prevent access to the system with "SA" privs.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
39
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q13: Are there any DISadvantages to having xp_CmdShell DISabled?
A13: Yes, there are at least 3 disadvantages.
If company policy mandates that xp_CmdShell remain disabled, only the honest DBA (assuming that DBAs have "SA" privs) will be thwarted.
Such honest DBAs will be deprived of a powerful tool (according to Given #2 above) capable of making his/her job much easier and more effective.
Because people DO think that having xp_CmdShell disabled is a security advantage, they may become more lax in the security measures they take (or don't take, as a result) no matter what they are.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
41
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q14: Since DBAs could use xp_CmdShell to elevate their domain privs, should DBAs be allowed to use xp_CmdShell?
A14: "Yes" with some possible provisions.
For example if the DBAs are trusted at the
SQL Server level but not at the Domain level, then the SQL Server login and the SQL
Agent login must be throttled back by the
Domain Administrators to prevent such elevation of privs. SQL Server and SQL
Agent should not be allowed to see more than what you want a DBA to see.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
42
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q15: Are there better methods to do the same things that could be done through the proper and secure use of xp_CmdShell?
A15: “It Depends” and seems to be either an emotional, preferential, or resource driven decision.
For me, considering answers 1 through 14, the power of the tool, the availability of a common command language understood by every DBA, and the fact that it can all be done through T-SQL (don’t have to setup other systems), I have to say “NO”.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
43
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Q16: What happens if someone is in the middle of an xp_CmdShell run and my proc disables xp_CmdShell?
A16: A command to disable xp_CmdShell will execute immediately but all instances currently running will be allowed to complete.
That’s good for the “Turn it on, use it, turn it off” method.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
44
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Do setting policies like “Prevent access to the Command Prompt” prevent usage of xp_CmdShell?
Yes, but only for the unskilled.
Hackers are setup to blow right through such things.
http://www.securitytube.net/video/653
People with “SA” privs can easily get to the registry through sp_RegWrite.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
45
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Ancillary Question #2:
Which is better?
Disabling it and never using it?
Enabling it only when needed and then disabling it, again?
Enabling it and leaving it enabled?
Disabling xp_CmdShell... Is it Really a "Best Practice"?
47
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Disabling it and never using it?
Provides only trivial logging.
Provides virtually no protection during an “SA” attack.
Anyone with “SA” privs can enable and use it.
ONLY “SA” privs can enable and use it.
People “think” it provides security when it does not and may lull them into a false sense of security.
Only keeps the honest man honest.
Deprives DBAs and Devs of powerful, flexible, easy to use tools.
Does provide the maximum “Nice Warm
Fuzzies”
Disabling xp_CmdShell... Is it Really a "Best Practice"?
48
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Enabling it only when needed and then disabling it, again?
Provides only trivial logging (along with some nearly useless “Log Clogging”).
Provides virtually no protection during an “SA” attack.
Anyone with “SA” privs can enable and use it.
ONLY “SA” privs can enable and use it.
People “think” it provides security when it does not and may lull them into a false sense of security.
Provides DBAs and Devs with powerful, flexible, easy to use tools.
Have to remember in person and in code to enable/disable it every time it’s used. This means it might need to be enabled multiple times in a script, job, or stored proc.
Does provide some “Nice Warm Fuzzies”
Disabling xp_CmdShell... Is it Really a "Best Practice"?
49
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Enabling it and leaving it enabled?
Provides no trivial logging (but helps with “Log
Clogging”).
Provides virtually no protection during an “SA” attack (just like the other 2 options).
Anyone with “SA” privs can enable and use it.
ONLY “SA” privs can enable and use it.
People “think” is it’s a gaping security hole and are more vigilant and diligent in limiting privs.
Provides DBAs and Devs with powerful, flexible, easy to use tools.
Never have to remember to enable or disable it in person, scripts or code.
Biggest disadvantage is “Visceral Fear” instead of “Nice Warm Fuzzies”
Disabling xp_CmdShell... Is it Really a "Best Practice"?
50
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
There appears to be no non-trivial advantage to having xp_CmdShell disabled.
There appears to be no more of a security DISadvantage to having xp_CmdShell enabled than when it’s disabled.
There are DISadvantages to having xp_CmdShell disabled.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
51
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Disabling xp_CmdShell…
Is it Really a “Best Practice”?
Considering the facts discovered
(especially since it does nothing for security), the answer is “NO”.
Considering that there are more nontrivial disadvantages to having it disabled than having it enabled, it would appear that disabling xp_CmdShell is actually a “Worst
Practice”.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
52
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Given a Directory Path, List All of the Files in the Directory.
For example, DIR C:\Temp /b
The reason for such a simple example is that it allows us to concentrate on how to properly and securely get to the Command Line rather than concentrating on what we can do once we get there.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
54
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
1.
Setup Proxy User in Windows.
Done only once for the lifetime of the SQL Server.
“Standard” user.
2.
Login to SSMS as “Administrator”.
3.
Setup CmdShell Proxy Account in SQL Server.
Done only once for the lifetime of the SQL Server.
Turn on xp_CmdShell
Create Login, User, Proxy, and grant priv to xp_CmdShell.
4.
Ensure Correct Ownership of DB
Done only once in the lifetime of the DB.
5.
Make Proper Stored Procedures to Use xp_CmdShell.
Super easy to do.
Requires the addition of 4 easy to remember words.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
55
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Precise instructions will vary by version of
Windows.
1.
Click the Windows “Start”
Button.
2.
Open the “Control Panel”
3.
Open “User Accounts”
(might be under
“Administrative Tools”).
4.
Create a new “Standard” user.
5.
Create a strong password for the user and put in safe place.
6.
Exit the “Control Panel”
Disabling xp_CmdShell... Is it Really a "Best Practice"?
56
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
1.
If you don’t already have one, create a short-cut on the Desktop for SSMS
(“Ctrl” drag from
Windows Start menu).
2.
Right-click on the shortcut and select “Run as
Administrator”.
3.
Login to SSMS as a login that has “SA” privs.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
57
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Substitute the machine or domain name for “VAIO”.
Substitute the proxy user name from Step 1 for “CmdProxyUser”.
Change the GUID to the password of the proxy user from Step 1.
--===== We MUST be in the MASTER database to create the proxy user.
USE [master];
--===== Enable xp_CmdShell
EXEC sp_configure 'show advanced options' , 1 ; RECONFIGURE;
EXEC sp_configure 'xp_cmdshell' , 1 ; RECONFIGURE;
EXEC sp_configure 'show advanced options' , 0 ; RECONFIGURE;
--===== Create the server login and map that login "user" the Master database
CREATE LOGIN [VAIO\CmdProxyUser] FROM WINDOWS
WITH DEFAULT_DATABASE=[master], DEFAULT_LANGUAGE=[us_english];
CREATE USER [VAIO\CmdProxyUser] FOR LOGIN [VAIO\CmdProxyUser]
WITH DEFAULT_SCHEMA=[dbo];
--===== Create the proxy account using the user we just added
EXEC sp_xp_cmdshell_proxy_account 'VAIO\CmdProxyUser' , '6A1E4814-6149-4A31-AF3B-
B9D60624145F' ;
--===== Give the proxy user privs to execute xp_CmdShell.
GRANT EXECUTE ON xp_CmdShell to [VAIO\CmdProxyUser];
Disabling xp_CmdShell... Is it Really a "Best Practice"?
58
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
1.
Start SSMS and login with “SA” privs.
2.
If the Object Explorer isn’t already open, press the {f8} key to open it.
3.
Expand the databases folder.
4.
Right click on the desired database and select [Properties].
5.
Click on [Files].
6.
Type “sa” (without the quotes) in the
“Owner” box.
7.
Click [OK].
Disabling xp_CmdShell... Is it Really a "Best Practice"?
59
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
The only difference between this and a typical stored procedure is 4 little words ( With Execute As Owner ).
CREATE PROCEDURE dbo .
GetDirInfo
WITH EXECUTE AS OWNER
AS
EXEC xp_cmdshell 'DIR C:\Temp /b‘
;
GRANT EXECUTE ON dbo.GetDirInfo TO PUBLIC;
Disabling xp_CmdShell... Is it Really a "Best Practice"?
60
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Whether you’ve decided to use
SQLCLR, xp_CmdShell, or what, YOU need to be aware of DOS Injection.
It’s why I don’t like SQLCLR for doing “DOS-like” things because I don’t have control over such code like I do xp_CmdShell.
DOS Injection is like SQL Injection but at the command line and can be even more deadly.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
61
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Simple proc like most people do.
CREATE PROCEDURE dbo .
GetDirInfoBadWay
@Path VARCHAR( 8000 )
AS
DECLARE @CMD VARCHAR( 8000 );
SELECT @CMD = 'DIR "' + @Path + '" /b' ;
EXEC xp_CmdShell @Cmd ;
GO
EXEC dbo .
GetDirInfoBadWay 'C:\Temp'
;
Deadly DOS Injection
EXEC dbo .
GetDirInfoBadWay 'C:\">nul & ECHO Bang u r dead & REM '
;
Disabling xp_CmdShell... Is it Really a "Best Practice"?
62
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Injection-Proof Proc Works Correctly
CREATE PROCEDURE dbo.GetDirInfoGoodWay
@Path VARCHAR( 8000 )
AS
DECLARE @CMD VARCHAR( 8000 );
SELECT @CMD = 'DIR "' +@Path+ '" /b'
WHERE @Path NOT LIKE '%[^a-zA-Z0-9:\*. ]%'
AND CHARINDEX ( 'REM ' ,@Path) = 0 ;
EXEC xp_CmdShell @Cmd;
GO
EXEC dbo .
GetDirInfoGoodWay 'C:\Temp'
;
But Rejects Hacks and Gives Attacker No
Clues.
EXEC dbo .
GetDirInfoGoodWay 'C:\">nul & ECHO Bang u r dead & REM ' ;
Command(s ) completed successfully.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
63
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
Discovered that Disabling xp_CmdShell offers no nontrivial benefits to security.
Learned that disabling it does not prevent attacks.
Learned that only limiting who gets “SA” privs prevents attacks.
Even an attacker can’t use xp_CmdShell if they can’t get in as
“SA”.
An attacker can get to the Command Line many other ways if they can get in as “SA”. They don’t even need xp_CmdShell.
Learned how to create a “Command Shell Proxy”.
Learned how to use the “proxy” to allow xp_CmdShell to be safely used in stored procedures.
Learned how to allow individuals to run those procs without having the ability to run xp_CmdShell directly.
Learned what DOS Injection is and how to prevent it.
Disabling xp_CmdShell might not be a “Best Practice”, after all.
Disabling xp_CmdShell... Is it Really a "Best Practice"?
65
12 May 2013 © Copyright by Jeff Moden - All Rights Reserved
by Jeff Moden
Thanks for listening!