APPENDIX B

Dangerous Extended Stored Procedures

The following stored procedures could allow an attacker to gain information about the server or to perform actions that could lead to the compromise of the machine. Permissions on these SQL Server stored procedures should be carefully controlled, and should not be granted to the public role. Alternatively, the procedures can be removed entirely from the database:

use master
exec sp_dropextendedproc 'xp_regread'

SQLSecurity.com provides scripts to drop and restore potentially dangerous stored procedures (Extended Stored Proc Removal and Restore Scripts at http://www.sqlsecurity.com/DesktopDefault.aspx?tabid=26). These scripts can be used when installing service packs that require extended stored procedure access.

If procedures are dropped it is also a good idea to remove the dll they are present in to prevent an attacker from re-adding them using sp_addextendedproc. The functions exported by a dll can be viewed using the dumpbin tool, which is included with Microsoft Visual Studio:

C:\Program Files\Microsoft SQL Server\MSSQL\Binn>dumpbin
/exports xplog70.dll

Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation.  All rights reserved.

Dump of file xplog70.dll File Type: DLL Section contains the following exports for XPLOG70.dll 00000000 characteristics 398D1636 time date stamp Sun Aug 06 08:39:34 2000 0.00 version 1 ordinal base 8 number of functions 8 number of names ordinal hint RVA name 1 0 00001055 ...