1
From SQL server 2012 I try to do this:
DECLARE @COMMAND nvarchar(4000)
SET @COMMAND = 'net stop <servicename>'
exec master.dbo.xp_cmdshell @COMMAND
I get system error 5 and Access denied as response
The service account (checked with whoami) is added to the administrators, so what else can be wrong?
Sjef
Posted 2017-08-11T11:27:01.223
Reputation: 11
0
Run SQL Server 2012 as administrator, and the problem will go away.
LPChip
Posted 2017-08-11T11:27:01.223
Reputation: 42 190
The service account mentioned has administrator rights. – Sjef – 2017-08-11T13:52:44.883
Yes, but even so, the runtime has to be performed as administrator. You have to right-click the program, and choose run as administrator, to give the application extra rights. You can see the exact same behavior if you try to do the command in a command prompt window. Even if your user has admin rights, it will not work until you launch the command prompt as administrator. Its an UAC thing. – LPChip – 2017-08-11T14:25:36.853
In this case, the user running the DB service is unimportant to the issue. The issue is who can CONTROL the service, by starting/stopping/editing the service. SQL Injection attacks would be disastrous if just any old user could execute xp_cmdshell and by virtue of the SQLServers privileged access be able to run arbitrary commands as a server admin. – Frank Thomas – 2017-08-11T15:34:46.883
0
xp_cmdshell from SSMSI helped troubleshoot an issue where we needed to grant an app developer access to execute xp_cmdshell from within an SSMS session rather than "Run as" from SQL Agent Job on a non-critical development server without making him a sysadmin on the SQL Server instance.
Note: Domain user account can be replaced by work group account, local machine account, etc.
Important: You need to understand the risk of allowing users in your environment to execute OS level commands, and you should only grant this level of permissions to xp_cmdshell to those which are trustworthy enough with this level of security with the proxy method.
Created a new domain user account with a strong password and took note of the username and password. Made sure the account was enabled and the password was set to never expire.
Created a new SQL Server Login tied to the new domain user account we created.
Created a new proxy credential tied to the domain user account.
EXEC sp_xp_cmdshell_proxy_account '<Domain>\<NewUser>', '<password>' -- you have to type actual password
Granted that SQL Server Login explicit EXECUTE access to the system extended stored proc from the Master DB named sys.xp_cmdshell.
--see who all has execute access to xp_cmdshell Use master EXEC sp_helprotect 'xp_cmdshell' -- To allow advanced options to be changed. EXEC sp_configure 'show advanced options', 1 RECONFIGURE GO -- Enable the xp_cmdshell procedure EXEC sp_configure 'xp_cmdshell', 1 RECONFIGURE GO -- Grant execute permissions to account GRANT EXECUTE ON xp_cmdshell TO [<Domain>\<NewUser>]
Grant the person the uses the EXECUTE AS impersonate permission to the new SQL Server Login.
GRANT IMPERSONATE ON LOGIN::[<Domain>\<NewUser>] TO [<Domain>\<UserGrantingExecuteAsUser>]
Now run the command with the EXECUTE AS LOGIN and pass the net stop command to the xp_cmdshell stored procedure. The security principal as listed in step #5 above in the <Domain>\<UserGrantingExecuteAsUser> should be that of the person you are running SSMS as security context wise for this task.
EXECUTE AS LOGIN = '<Domain>\<NewUser>' DECLARE @COMMAND nvarchar(4000) SET @COMMAND = 'net stop <servicename>' EXEC xp_cmdshell @COMMAND REVERT
Pimp Juice IT
Posted 2017-08-11T11:27:01.223
Reputation: 29 425
when you way 'From SQLServer 2012', do you mean from SQLServer Management Studio (ssms.exe) ? – Frank Thomas – 2017-08-11T15:31:09.290
Yes, if I put the command(s) in a .bat or .cmd and run that from the OS it's fine. When I try to run it from ssms I get the same error. – Sjef – 2017-08-14T13:29:51.980
run ssms as admin. – Frank Thomas – 2017-08-14T13:39:57.863