Access denied for enabled xp_cmdshell for the admin user - sql-server

I'm using xp_cmdshell within a database trigger to launch a exe file.
xp_cmdshell is enabled(it can execute simple cmd command like 'echo'). But when I try to launch the exe through xp_cmdshell, the access is denied.
I am the database administrator. And I can launch the exe through cmd directly. Anyone know why I get denied and how to fix it?

Use xp_cmdshell to run "whoami", then check effective permissions for the stated user on the exe and any resources it accesses.
Odds are that an account like localsystem is being used to run processes via xp_cmdshell.
EXEC xp_cmdshell 'whoami'

Likely insufficient NTFS permissions. Make sure the 'user account' that the SQL Server is running as, has permission (Read+Execute) to the *.EXE (and any dependent files)

Not sure, but I believe that the trigger is run by the user running the SQL command that "triggered" the trigger.
Is the user issuing the SQL command a Windows user or a SQL user ? If it's a SQL user, you need to set an "SQL Proxy". The SQL Proxy is used to tell SQL which Windows user will be used to access the file system.
Hope this helps,
Yves

I was getting ACCESS DENIED when trying to run BCP and then COPY.
What I found is that xp_cmdshell starts in c:\windows\system32
I modified my CMD file to change to my working folder
L:
cd L:\myworkingfolder
This solved my problem, Event though my sqlagent was a local administrator and I had full pathed my copy command.

Time to contribute now. I am sysadmin role and worked on getting two public access users to execute xp_cmdshell. I am able to execute xp_cmdshell but not the two users.
I did the following steps:
create new role:
use master
CREATE ROLE [CmdShell_Executor] AUTHORIZATION [dbo]
GRANT EXEC ON xp_cmdshell TO [CmdShell_Executor]
add users in master database: Security --> Users. Membership checks only [CmdShell_Executor] that is just created
set up proxy account:
EXEC sp_xp_cmdshell_proxy_account 'domain\user1','users1 Windows password'
EXEC sp_xp_cmdshell_proxy_account 'domain\user2','users2 Windows password'
Then both users can execute the stored procedure that contains xp_cmdshell invoking a R script run. I let the users to type in the password, execute the one line code, then delete the password. All in my pc.

You can also get Access is denied. when you don't specify path to executable correctly. Note if your path contains spaces, you need to enclose the executable into double quotes:
EXEC xp_cmdshell '"D:\My path\With spaces\runme.exe"'

I had the same problem and I solved it like this:
Open SQL Server Configuration Manager
Select your instance and right-click -> properties
Select Log on tab
And select authorized account

Related

SQL Server Stored Procedure Bacup Database into Network Share

I have followed "How to schedule and automate backups of SQL Server databases in SQL Server Express" article to create backup a SQL Server Express database. Basically this creates a stored procedure and it is called by a .BAT file periodically by Task Scheduler. If destination is set to a local folder for example D:\Data it works fine, however I need to create backups on the folder \\Server\Folder I get access denied error.
User domain\myuser is always logged in. This user has write permission into folder \\Server\Folder. I tried adding user as Login and then tried to call stored procedure EXECUTE AS domain\myuser but it did not help.
I cannot create a network map because of limitations. Is there a workaround for backup into a network folder?
When I run SSMS and call the SP I get the following error. I logged in as domain\myuser user and opened SSMS. If I browse folder \\Server\Folder in Windows Explorer I can create files, so user domain\myuser has write permissions on the folder.
I navigated to your link you shared and read the following:
In the Enter the user name field, type a user name, and then type a password in the Enter the password field.
Note This user should at least be assigned the BackupOperator role at
SQL Server level if you are using one of the batch files in example 1,
3, or 4.
Are you specifying the domain administrator credentials here? i.e. The credentials for the network share?
You need to make sure that the account that the SQL Server service is using has the appropriera permissions on the share.

What is the best way to share a folder so T-SQL can use it?

I want to write in a shared folder inside my network through an T-SQL procedure but when I try to write, it says permission denied. I tried to grant full permission to everyone and it worked. I don't want to leave it like that though because that would just be another vulnerability in my companies network. What user does T-SQL use? And do you maybe know a way to write without granting everyone permission?
You need to grant the permissions to the account used by the windows service. You can find out which account this is in 2 ways.
SQL Configuration Manager
Open up SQL Configuration Manager on your server, and you see this. The account name you want I have highlighted in a red ellipse.
Command line
Use the command sc to get details of windows services. If your SQL Server instance is the default instance on 'Servername' use
sc \\Servername qc MSSQLSERVER
If you SQL Server instance is Servername\InstanceName use
sc \\Servername qc MSSQL$InstanceName
The account you want is listed as the SERVICE_START_NAME which should be on the last line.

I am getting access denied when moving files in tsql

I am getting access denied errors when I move files from server1 to server2. Please advise how I should get past this error in my tsql script.
I used xp_cmdshell 'move d:\files \server2'
tsql uses the permissions of the account used to start the SQL Server instance. To see the account used, open the services control panel, locate the SQL Server service, goto properties and then logon tab. You probably need to change this to an account that has the appropriate permissions.

SQL Server EXECUTE AS on FN_TRACE_GETTABLE

I'm trying to allow a user to view SQL Server trace data from a .trc file without giving them ALTER TRACE permissions (SQL Server 2008 R2). So I've wrapped it up in a stored procedure, using my sysadmin account:
CREATE PROCEDURE test_trace
as
SELECT * FROM FN_TRACE_GETTABLE(N'C:\temp\trace1.trc', 1)
If I execute this stored procedure using my sysadmin account, it runs fine as expected. If I try to run this under the domain1\user1 account, it does not run giving an error of "You do not have permission to run 'FN_TRACE_GETTABLE'". This is again expected.
So now I want to let domain1\user1 run the stored procedure, so I change the stored procedure to execute under a sysadmin account:
CREATE PROCEDURE test_trace
WITH EXECUTE AS 'domain1\sysadmin1'
as
SELECT * FROM FN_TRACE_GETTABLE(N'C:\temp\trace1.trc', 1)
Now when I execute the stored procedure, I get "You do not have permission to run 'FN_TRACE_GETTABLE'" regardless of the account I execute it under! I was expecting to be able to execute it both under the domain1\user1 and domain1\sysadmin1 accounts.
Could anybody please help with what I've missed? My goal is to allow domain1\user1 to read the trace1.trc file without giving them ALTER TRACE permissions.
You need to use code signing to elevate privileges in a controlled manner. While in an EXECUTE AS procedure context you are sandboxed and cannot leverage a server level priviledge (such as trace related permissions), read Extending Database Impersonation by Using EXECUTE AS. Code signing is the proper solution to this problem as well. See a full example here.
According to the documentation you can only specify a (database) username in execute as for stored procedures. Still I think this should normally work, but please alter the SP with the sysadmin account and specify EXECUTE AS SELF instead of the user name.
If that still does not work, try giving the executing user read rights on the trace file, maybe the server ignores the execute as for the file access (which I would consider as a bug).
Copy&paste the path into a new explorer window and if it gives an error, there's your problem. Took me a while to figure out why SQL Server said the "sa" account didn't have permissions that it did have.

SQL Server : xp_cmdshell have very limited privilegies

I don't know if it should be like this. When I'm trying to do anything with xp_cmdshell procedure it almost every time gives me Access Denied.
For example I can't create new .txt file, can't create new user, nothing. I'm logged in with windows administrator user.
Is there any way to run this procedure with administrator privileges?
XP_CmdShell will execute under the context of the Service Account running the SQL Server Service. The service account needs the permissions to the external resources.
Could I point out however, that enabling xp_cmdshell is not a good idea. It opens lots of security holes. For example, if your app has an unknown volnerability to SQL injection, a hacker could do all sorts on your network that you rather avoid.
If you must use external resources then better approaches would include a CLR procedure or calling a Job that executes a CMDEXEC step.
xp_cmdshell executed by a windows login is executing under an impersonation context. as such any access of a remote resource (eg. access a file on a share, an operation on AD like adding an user) will fall under the constrained delegation restrictions, likely resulting in a access denied because constrained delegation is probably not to be configured on all those resources.

Resources