原文出处:http://blog.csdn.net/dba_huangzj/article/details/38656615,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349 未经作者同意,任何人不得以原创形式发布,也不得已用于商业用途,本人不负责任何法律责任。 前一篇:http://b
原文出处:http://blog.csdn.net/dba_huangzj/article/details/38656615,专题目录:http://blog.csdn.net/dba_huangzj/article/details/37906349未经作者同意,任何人不得以“原创”形式发布,也不得已用于商业用途,本人不负责任何法律责任。
前一篇:http://blog.csdn.net/dba_huangzj/article/details/38489765
前言:
基于安全性原因,某些功能在安装SQL Server时就被禁用,从2008开始,所有敏感选项可以通过一个叫【外围应用配置器】的【方面】进行管理,这个功能在2005的时候以独立工具的形式出现过,在2008又取消了。
实现:
1. 在SQL Server Management Studio(SSMS)中,右键【服务器】节点,选择【方面】:
2. 在【查看方面】对话框中,选择【外围应用配置器】:
原文出处:http://blog.csdn.net/dba_huangzj/article/details/38656615
3. 把【AdHocRemoteQueriesEnabled】、【OleAutomationEnabled 】和【XPCmdShellEnabled 】的属性设为False:
可以使用下面语句来查询这些【方面】的信息:
SELECT *
FROM sys.system_components_surface_area_configuration
WHERE component_name IN
(
'Ole Automation Procedures',
'xp_cmdshell'
);
除了外围配置管理器,还可以使用【策略管理,PBM】来管理这些,将在第七章介绍。
4. 还可以使用T-SQL检查状态:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'Ad Hoc Distributed Queries'; EXEC sp_configure 'Ole Automation Procedures'; EXEC sp_configure 'xp_cmdshell';
5. 上面结果中,run_value为1 即启用,0为禁用,如果需要禁用这些,可以使用下面语句,记得使用RECONFIGURE命令让更改生效:
EXEC sp_configure 'Ad Hoc Distributed Queries', 0; EXEC sp_configure 'Ole Automation Procedures', 0; EXEC sp_configure 'xp_cmdshell', 0; RECONFIGURE;
原理:
Ad hoc分布式查询允许在T-SQL语句内使用连接目标数据源的字符串,可以使用OPENROWSET/OPENDATASOURCE关键字,通过OLEDB访问远程数据库,如下:
SELECT a.* FROM OPENROWSET('SQLNCLI', 'Server=SERVER2;Trusted_Connection=yes;', 'SELECT * FROM AdventureWorks.Person.Contact') AS a;
这种写法的权限基于授权类型,如果使用SQL Server身份验证,那么权限是SQL Server服务的帐号权限,如果是Windows 身份验证,权限是Windows帐号的权限。
OLE自动化程序(OLE automation procedures)是系统存储过程,允许T-SQL代码使用OLE 自动化对象,然后在SQL Server上下文外部运行,如sp_OACreate用于实例化对象并操作这个对象。下面代码演示如何使用OLE自动化程序删除文件夹:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'Role Automation Procedures', 1; RECONFIGURE; GO DECLARE @FSO int, @OLEResult int; EXECUTE @OLEResult = sp_OACreate 'Scripting.FileSystemObject', @FSO OUTPUT; EXECUTE @OLEResult = sp_OAMethod @FSO, 'DeleteFolder', NULL, 'c:\ sqldata'; SELECT @OLEResult; EXECUTE @OLEResult = sp_OADestroy @FSO;
只有sysadmin服务器角色的成员才能使用这些程序。
xp_cmdshell扩展存储过程允许使用T-SQL访问底层操作系统,如:
exec xp_cmdshell 'DIR c\*.*';
限制这些程序的权限,可以一定程度上保护服务器的安全。
更多:
原文出处:http://blog.csdn.net/dba_huangzj/article/details/38656615
为了允许非sysadmin登录使用xp_cmdshell,可以把它封装到存储过程中并用EXECUTE AS 。如果你希望他们运行任意命令,必须定义一个代理帐号:
EXEC sp_xp_cmdshell_proxy_account 'DOMAIN\user','user password';
可用下面语句查询:
SELECT * FROM sys.credentials WHERE name = '##xp_cmdshell_proxy_account##';
可用下面语句移除:
EXEC sp_xp_cmdshell_proxy_account NULL;
另外,你不能禁止sysadmin成员使用xp_cmdshell。即使禁用了,sysadmin角色成员还是可以启用。
下一篇:http://blog.csdn.net/dba_huangzj/article/details/38657111
How do you alter a table in MySQL using the ALTER TABLE statement?Mar 19, 2025 pm 03:51 PMThe article discusses using MySQL's ALTER TABLE statement to modify tables, including adding/dropping columns, renaming tables/columns, and changing column data types.
How do I configure SSL/TLS encryption for MySQL connections?Mar 18, 2025 pm 12:01 PMArticle discusses configuring SSL/TLS encryption for MySQL, including certificate generation and verification. Main issue is using self-signed certificates' security implications.[Character count: 159]
How do you handle large datasets in MySQL?Mar 21, 2025 pm 12:15 PMArticle discusses strategies for handling large datasets in MySQL, including partitioning, sharding, indexing, and query optimization.
What are some popular MySQL GUI tools (e.g., MySQL Workbench, phpMyAdmin)?Mar 21, 2025 pm 06:28 PMArticle discusses popular MySQL GUI tools like MySQL Workbench and phpMyAdmin, comparing their features and suitability for beginners and advanced users.[159 characters]
How do you drop a table in MySQL using the DROP TABLE statement?Mar 19, 2025 pm 03:52 PMThe article discusses dropping tables in MySQL using the DROP TABLE statement, emphasizing precautions and risks. It highlights that the action is irreversible without backups, detailing recovery methods and potential production environment hazards.
How do you create indexes on JSON columns?Mar 21, 2025 pm 12:13 PMThe article discusses creating indexes on JSON columns in various databases like PostgreSQL, MySQL, and MongoDB to enhance query performance. It explains the syntax and benefits of indexing specific JSON paths, and lists supported database systems.
How do you represent relationships using foreign keys?Mar 19, 2025 pm 03:48 PMArticle discusses using foreign keys to represent relationships in databases, focusing on best practices, data integrity, and common pitfalls to avoid.
How do I secure MySQL against common vulnerabilities (SQL injection, brute-force attacks)?Mar 18, 2025 pm 12:00 PMArticle discusses securing MySQL against SQL injection and brute-force attacks using prepared statements, input validation, and strong password policies.(159 characters)
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Atom editor mac version download
The most popular open source editor
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
