Extended stored procedure xp_cmdshell should be restricted to authorized accounts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2461	DM1758-SQLServer9	SV-23794r2_rule	ECLP-1	High

Description
The xp_cmdshell extended stored procedure allows execution of host executables outside the controls of database access permissions. This access may be exploited by malicious users who have compromised the integrity of the SQL Server database process to control the host operating system to perpetrate additional malicious activity.

STIG	Date
Microsoft SQL Server 2005 Instance Security Technical Implementation Guide	2015-06-16

Details

Check Text ( C-22811r2_chk )
From the query prompt: SELECT u.name FROM [master].dbo.sysobjects o, [master].dbo.sysusers u, [master].dbo.sysprotects p WHERE p.uid = u.uid AND p.id = o.id AND o.name = 'xp_cmdshell' ORDER BY u.name If any accounts are returned, ensure the IAO has documented in the System Security Plan allowing its use. If there is no documentation or use is not authorized, this is a Finding. If any non-DBA accounts are listed, this is a Finding. From the query prompt: SELECT CAST(value AS INT) 'Config_Value' FROM [master].sys.configurations WHERE name = 'xp_cmdshell' If a value of 0 is returned for Config_Value, this is Not a Finding. If a value of 1 is returned for Config_Value, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Check Text ( C-22811r2_chk )

From the query prompt:

SELECT u.name
FROM [master].dbo.sysobjects o, [master].dbo.sysusers u, [master].dbo.sysprotects p
WHERE p.uid = u.uid
AND p.id = o.id
AND o.name = 'xp_cmdshell'
ORDER BY u.name

If any accounts are returned, ensure the IAO has documented in the System Security Plan allowing its use. If there is no documentation or use is not authorized, this is a Finding.

If any non-DBA accounts are listed, this is a Finding.

From the query prompt:

SELECT CAST(value AS INT) 'Config_Value'
FROM [master].sys.configurations
WHERE name = 'xp_cmdshell'

If a value of 0 is returned for Config_Value, this is Not a Finding.

If a value of 1 is returned for Config_Value, confirm in the System Security Plan that this option is documented, required and approved by the IAO. If it is not documented, required and approved, this is a Finding.

Fix Text (F-19735r1_fix)
Authorize and document requirements for use of the xp_cmdshell option in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable or restrict its use. From the query prompt: USE master REVOKE EXECUTE ON xp_cmdshell FROM [user] Replace 'user' with the user account name. From the query prompt: EXEC SP_CONFIGURE 'show advanced options', 1 EXEC SP_CONFIGURE 'xp_cmdshell', 0 RECONFIGURE

Fix Text (F-19735r1_fix)

Authorize and document requirements for use of the xp_cmdshell option in the System Security Plan and AIS Functional Architecture documentation. Where not authorized, disable or restrict its use.

From the query prompt:

USE master
REVOKE EXECUTE ON xp_cmdshell FROM [user]

Replace 'user' with the user account name.

From the query prompt:

EXEC SP_CONFIGURE 'show advanced options', 1
EXEC SP_CONFIGURE 'xp_cmdshell', 0
RECONFIGURE