EXEC xp_cmdshell Access Denied with sa - sql-server

I created a proxy account by using the next command:
create credential ##xp_cmdshell_proxy_account## with identity = 'DOMAIN\User1', secret = 'xxxxxxxxxxx'
Then I created the login for DOMAIN\User1 (Windows Authentication). After that I executed these lines:
create user [DOMAIN\User1] for login [DOMAIN\User1]
go
grant execute on xp_cmdshell to [DOMAIN\User1]
go
After these steps, I can login to Management Studio with DOMAIN\User1 and execute xp_cmdshell without any problem.
Now I do the same steps using a Local Windows Account:
Create a login for HOSTNAME\User2 (Windows Authentication). After that I execute these lines:
create user [HOSTNAME\User2] for login [HOSTNAME\User2]
go
grant execute on xp_cmdshell to [HOSTNAME\User2]
go
And also after these steps, I can login with HOSTNAME\User2 and execute xp_cmdshell without any problem.
This has been to demonstrate I can create a Login and grant access to execute xp_cmdshell.
OK, but my goal is to execute xp_cmdshell when logged as sa.
I'm getting an Access Denied when trying to execute xp_cmdshell logged as sa.
And I don't know exactly what to do to grant access to sa for xp_cmdshell execution.
When I try to run this line:
create user sa for login sa
I get the error: Cannot use the special principal 'sa'
And when I try to run this line:
grant execute on xp_cmdshell to sa
I get the error: Cannot find the user 'sa', because it does not exist or you do not have permission.
So, my question is why I'm getting an Access Denied executing xm_cmdshell when logged as sa?
Additional Information:
The command I'm trying to execute is:
exec xp_cmdshell 'SCHTASKS /Run /TN "TaskName"'

Related

Getting execute permission to xp_cmdshell

I am seeing an error message when trying to execute xp_cmdshell from within a stored procedure.
xp_cmdshell is enabled on the instance. And the execute permission was granted to my user, but I am still seeing the exception.
The EXECUTE permission was denied on the object ‘xp_cmdshell’, database ‘mssqlsystemresource’, schema ‘sys’
Part of the issue is that this is a shared cluster, and we have a single database on the instance, so we don't have a full range of admin permissions. So I can't go in and grant permissions, and what-not.
For users that are not members of the sysadmin role on the SQL Server instance you need to do the following actions to grant access to the xp_cmdshell extended stored procedure. In addition if you forgot one of the steps I have listed the error that will be thrown.
Enable the xp_cmdshell procedure
Msg 15281, Level 16, State 1, Procedure xp_cmdshell, Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online.*
Create a login for the non-sysadmin user that has public access to the master database
Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.*
Grant EXEC permission on the xp_cmdshell stored procedure
Msg 229, Level 14, State 5, Procedure xp_cmdshell, Line 1
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.*
Create a proxy account that xp_cmdshell will be run under using sp_xp_cmdshell_proxy_account
Msg 15153, Level 16, State 1, Procedure xp_cmdshell, Line 1
The xp_cmdshell proxy account information cannot be retrieved or is invalid. Verify that the '##xp_cmdshell_proxy_account##' credential exists and contains valid information.*
It would seem from your error that either step 2 or 3 was missed. I am not familiar with clusters to know if there is anything particular to that setup.
I want to complete the answer from tchester.
(1) Enable the xp_cmdshell procedure:
-- To allow advanced options to be changed.
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
-- Enable the xp_cmdshell procedure
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
(2) Create a login 'Domain\TestUser' (windows user) for the non-sysadmin user that has public access to the master database
(3) Grant EXEC permission on the xp_cmdshell stored procedure:
GRANT EXECUTE ON xp_cmdshell TO [Domain\TestUser]
(4) Create a proxy account that xp_cmdshell will be run under using sp_xp_cmdshell_proxy_account
EXEC sp_xp_cmdshell_proxy_account 'Domain\TestUser', 'pwd'
-- Note: pwd means windows password for [Domain\TestUser] account id on the box.
-- Don't include square brackets around Domain\TestUser.
(5) Grant control server permission to user
USE master;
GRANT CONTROL SERVER TO [Domain\TestUser]
GO
tchester said :
(2) Create a login for the non-sysadmin user that has public access to the master database
I went to my user's database list (server/security/connections/my user name/properties/user mapping, and wanted to check the box for master database. I got an error message telling that the user already exists in the master database. Went to master database, dropped the user, went back to "user mapping" and checked the box for master. Check the "public" box below.
After that, you need to re-issue the grant execute on xp_cmdshell to "my user name"
Yves
To expand on what has been provided for automatically exporting data as csv to a network share via SQL Server Agent.
(1) Enable the xp_cmdshell procedure:
-- To allow advanced options to be changed.
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
GO
-- Enable the xp_cmdshell procedure
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE
GO
(2) Create a login 'Domain\TestUser' (windows user) for the non-sysadmin user that has public access to the master database. Done through user mapping
(3) Give log on as batch job: Navigate to Local Security Policy -> Local Policies -> User Rights Assignment. Add user to "Log on as a batch job"
(4) Give read/write permissions to network folder for domain\user
(5) Grant EXEC permission on the xp_cmdshell stored procedure:
GRANT EXECUTE ON xp_cmdshell TO [Domain\TestUser]
(6) Create a proxy account that xp_cmdshell will be run under using sp_xp_cmdshell_proxy_account
EXEC sp_xp_cmdshell_proxy_account 'Domain\TestUser', 'password_for_domain_user'
(7) If the sp_xp_cmdshell_proxy_account command doesn't work, manually create it
create credential ##xp_cmdshell_proxy_account## with identity = 'Domain\DomainUser', secret = 'password'
(8) Enable SQL Server Agent. Open SQL Server Configuration Manager, navigate to SQL Server Services, enable SQL Server Agent.
(9) Create automated job. Open SSMS, select SQL Server Agent, then right-click jobs and click "New Job".
(10) Select "Owner" as your created user. Select "Steps", make "type" = T-SQL. Fill out command field similar to below. Set delimiter as ','
EXEC master..xp_cmdshell 'SQLCMD -q "select * from master" -o file.csv -s ","
(11) Fill out schedules accordingly.

Execute xp_cmdshell command as specific user

I would like to run xp_cmdshell (TSQL procedure) in order to mount a network drive and then access remotes mdb files.
I am administrator on the MS SQL server and I have allowed xp_cmdshell execution accordingly.
However, there is still a problem:
When I call xp_cmdshell, the user executing the command is the SQL SysAdmin, i.e. the account who run SQL Server process.
I wish xp_cmdshell executes as the account with which I'm connected to SQL server, i.e Administrator
Both of theses account are in administrator group, SQLAdmin group, and are granted to CONTROL SERVER. Both users belong to the same domain. All of this is run on the same machine.
Because of this conflict, I cannot use a network drive because it is mounted for SysAdmin and not for Administrator
I tried to use sp_ xp_ cmdshell_ proxy_ account to specify the account with which I want to run xp_cmdshell, but SysAdmin is still the used account.
Therefore, this code :
select user_name(), suser_name;
exec xp_cmdshell 'echo %username%';
displays :
Administrator Administrator
SysAdmin
Does anybody knows how to impersonate well the xp_cmdshell command ? Is there something to (re)configure?
Thanks for your help.
Because you're connecting to SQL as a login in the sysadmin group, xp_cmdshell runs as the service account.
If you connect as a low-privilege login, then it will use the xp_cmdshell_proxy_account instead. So try doing EXECUTE AS LOGIN='lowprivaccount' first, to see if that helps.
Of course, what you're actually asking is not the expected use. Expected use is that the high-privilege accounts can allow xp_cmdshell to use the Service Account, whereas everyone else has to put up with the lower privilege proxy account.
I actually have had to use this method in the past for similar things on network shares, try this...
-- map your drive and make it persistent.
xp_cmdshell"net use t: \\<server>\<share> <password> /user:<username> /persistent:yes"
-- t-sql code making use of the t drive
-- delete the drive mapping xp_cmdshell"net use t: /delete"
you can actually set up a job that executes when sql service starts and make it map this drive so you will always have access to the share as long as sql is running. All you would need to do is setup a sproc that maps the drive and have it do the initial mapping of the drive and make use of sp_procoption (http://msdn.microsoft.com/en-us/library/ms181720.aspx)
Maybe you could try PsExec? Download the file at this URL and copy it in a folder member of the %Path% environment variable.
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
exec xp_cmdshell 'psexec -u Administrator -p password net use ...'
You could try "net use" with a username and password inside xp_cmdshell. This establishes the credentials for the connection to the UNC.
However, I'm not sure how long this would persist. If it persists indefinitely (eg until server restart), you could have a start-up stored procedure that does "net use" and ensures it's available for use later.
A subsequent xp_cmdshell (to access the MDB files) would not require the authentication because the credentials are already established within the OS.
I found this page helped fill in the gaps in the process of actually adding the domain account and linking it.
http://sqlblog.com/blogs/tibor_karaszi/archive/2007/08/23/xp-cmdshell-and-permissions.aspx
After restart server must execute command plase solution save command...
Use Master GO
EXEC master.dbo.sp_configure 'show advanced options', 1 RECONFIGURE WITH
OVERRIDE GO
EXEC master.dbo.sp_configure 'xp_cmdshell', 1 RECONFIGURE WITH OVERRIDE GO
exec xp_cmdshell 'net use \ip\xxx pass /user:xxx /persistent:no'
Use Master GO
EXEC master.dbo.sp_configure 'show advanced options', 1 RECONFIGURE WITH
OVERRIDE GO
EXEC master.dbo.sp_configure 'xp_cmdshell', 0 RECONFIGURE WITH OVERRIDE
You must create a stored procedure to which you will place your xp_cmdshell script in it.
A stored procedure runs using the administrator account, therefore your xp_cmdshell will successfully run when you execute the stored procedure
create procedure RunShellIndirectly
as
declare #tawandachinaka as varchar(50)
set #tawandachinaka='DIR "c:\scrap measurement\"*.csv /B'
EXEC xp_cmdshell #tawandachinaka

`xp_cmdshell` SQL Server - privillages for user authenticated by password and name

How to make it possible to call procedure xp_cmdshell for user authenticated by password and username ? At this moment, user authenticated by windows authentiation can call this procedure.
My SQL Server is 2012.
Grant that user execute on xp_cmdshell
Then set up the xp_cmdshell_proxy_account
When xp_cmdshell is called by a user that is not a member of the sysadmin fixed server role, xp_cmdshell connects to Windows by using the account name and password stored in the credential named ##xp_cmdshell_proxy_account##. If this proxy credential does not exist, xp_cmdshell will fail.
The proxy account credential can be created by executing sp_xp_cmdshell_proxy_account. As arguments, this stored procedure takes a Windows user name and password.

Administrator cannot run a SQL Server query to add a Windows user with “net user /add” using xp_cmdshell

I login to SQL Server with Administrator account and can execute the following query and get the result:
xp_cmdshell 'net user' // Works well, and displays all local Windows user accounts
But when I want to '/ADD' a new Windows user locally, with below query, the problem arise:
xp_cmdshell 'net user myUserName myPassWord /ADD'
Error message:
The EXECUTE permission was denied on the object 'xp_cmdshell', database 'mssqlsystemresource', schema 'sys'.

What permissions are needed to copy databases in SQL Azure

I wrote a little app to backup SQL Azure databases using the very usefull 'CREATE AS COPY OF' command in SQL Azure. e.g.
CREATE DATABASE MyNewDB AS COPY OF MyOldDB
I run this command with the admin login (first login you get when creating a server). My Question: What are the minimal permissions a new login would need to execute the above command?
So far here's what I've done:
-- IN MASTER DB --
CREATE LOGIN DBCreator WITH PASSWORD = '?????????????'
CREATE USER DBCreator FROM LOGIN DBCreator;
EXEC sp_addrolemember 'dbmanager', 'DBCreator';
-- IN MyOldDB --
-- (I ran this stuff when the previous commands didn't do it) --
CREATE USER DBCreator FROM LOGIN DBCreator;
EXEC sp_addrolemember 'db_datareader', 'DBCreator'; --
And the result when running the above CREATE DATABASE command:
CREATE DATABASE permission denied in database 'MyOldDB'.
I could not add the db_owner role to new login, the command
EXEC sp_addrolemember 'db_owner', 'NewLogin'
throws the error
Cannot alter the role 'db_owner', because it does not exist or you do not have permission.
But using the dbmanager role works
EXEC sp_addrolemember 'dbmanager', 'NewLogin'
There is useful information in the article Managing Databases and Logins in Windows Azure SQL Database.

Resources