[Cialug] MS SSIS PowerShell (db server running shell command)
jim kraai
jimgkraai at gmail.com
Mon Oct 12 14:20:53 UTC 2020
agreed
another channel of inquiry has pointed out that
1. the command will run with whatever account is set
in ##xp_cmdshell_proxy_account##, so an account could be created that is
only able to do a restricted set of things
2. in the executing sp, might be able to flip the xp_cmdshell flag on, run
the command, and flip it back off. checking on risks and overhead for
doing that
On Mon, Oct 12, 2020 at 9:07 AM Dave Weis <djweis at sjdjweis.com> wrote:
> One concern would be giving the sql database user high enough privileges to
> modify ad.
>
> It would be a lot of work but have a service that checks the user list in
> both systems and creates users every hour.
>
>
>
> On Mon, Oct 12, 2020, 8:56 AM jim kraai <jimgkraai at gmail.com> wrote:
>
> > What are my pitfalls going to be making a powershell script for SSIS to
> > execute via stored procedure to create an AD account?
> >
> > I'm not asking for homework help. I very much need to know how I'm
> likely
> > to screw this up to prevent that from happening.
> >
> > I see security implications. Those give me pause. How can I mitigate
> > those?
> >
> > Thanks!
> >
> > -jim
> > _______________________________________________
> > Cialug mailing list
> > Cialug at cialug.org
> > https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> https://www.cialug.org/cgi-bin/mailman/listinfo/cialug
>
More information about the Cialug
mailing list