Databases Reference
In-Depth Information
7.1.1
Disable Windows extended stored procedures
Extended stored procedures are DLLs that can be installed by a SQL Server
administrator to provide enhanced functionality within SQL Server. SQL
Server extended stored procedures are dangerous for several reasons. The
main risk has to do with their power and their ability to access and invoke
actions at the operating system level. Using these procedures blurs the
boundary between the database and the operating system and can give too
many privileges to a user signed on to the database. After seeing so many
security issues in previous chapters, and especially application vulnerabilities
as described in Chapter 5,
a clear separation between the host and the data-
base should be on your mind. Another risk has to do with vulnerabilities
that have been found in these procedures. In this section I will try to con-
vince you that they are just not worth it and that you should remove them.
Some extended procedures allow a SQL Server user to have broad access
to the operating system. As an example, the extended procedures
allow the PUBLIC role to read
from the system registry. This means that I can get useful information
which tells me where the SQL Server 2000 instance is installed by issuing
statements of the form:
and
xp_regread
xp_instance_regread
exec xp_regread
'HKEY_LOCAL_MACHINE',
'SOFTWARE\Microsoft\MSSQLServer\Setup', 'SQLPath'
exec xp_instance_regread
'HKEY_LOCAL_MACHINE',
'SOFTWARE\Microsoft\MSSQLServer\Setup', 'SQLPath'
To get the default login (and see if guest has been removed or not):
exec xp_regread 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\
MSSQLServer\MSSQLServer', 'DefaultLogin'
exec xp_instance_regread 'HKEY_LOCAL_MACHINE', 'SOFTWARE\
Microsoft\MSSQLServer\MSSQLServer', 'DefaultLogin'
Here is one final example showing how vulnerable extended procedures
can make you. There really is a lot in the registry—data that you may not
even be aware of. This information is useful to an attacker. For example, if
you are using IPSec to encrypt data in transit (see Chapter 10),
then an
Search WWH ::
Custom Search