This project has moved. For the latest updates, please go here.

Previous SQL Server Proxy Accounts SQL Agent Job Proxy Accounts Next

xp_cmdshell Proxy Account

The xp_cmdshell proxy is required to allow users without sysadmin rights to use the xp_cmdshell routine. The xp_cmdshell proxy account provides a set of Windows authorities that are used by xp_cmdshell in this situation.

If a user who has sysadmin authority uses xp_cmdshell, the Windows authorities granted to the SQL Server service account are used.

If an xp_cmdshell proxy has not been defined, then any use of xp_cmdshell by a user without sysadmin rights fails. This includes use of xp_cmdshell within SQL Agent jobs run using a SQL Agent job proxy. Even after the xp_cmdshell proxy has been defined, users must be granted Execute rights on xp_cmdshell before they can use it.

It is important that an account with low privileges is used for the xp_cmdshell proxy. If an account with high privileges is used, it is possible for a skilled user to exploit the xp_cmdshell proxy account authorities to grant equivalent authorities to another account. Never give the xp_cmdshell proxy account Windows local Administrator authority or SQL Server sysadmin authority.

The xp_cmdshell proxy account must be given read/execute rights on CMD.EXE in the Windows\System32 folder. Preferably this should be done using a GPO.

The following process will configure the xp_cmdshell proxy.

1) Create the xp_cmdshell Windows account.

Follow your site standards to get the proxy account created. Typically, the process takes about 2 days to complete, and often is requested via an email such as the example below.
The supplied password should immediately be changed and recorded in the DBA Password Store. The password must comply with site security policy standards, and it is recommended that the password is at least 20 characters long and contains multiple examples of upper case, lower case, numeric and special characters.
(In SQL Server 2000, only the first 15 characters of the password for a proxy are stored and used. This restriction has been removed for SQL Server 2005 and above.)
AccountCreateTicket.png
2) Start SQL Server Management Studio (Start -> Programs -> Microsoft SQL Server -> SQL Server Management Studio). Connect to the instance using Object Explorer, then right-click on the Server and select Properties.

The remaining processing in this section can also be performed by the sp_xp_cmdshell_proxy_account stored procedure.
SSMSInstanceProperties.png
3) Select the Security page. Check Enable server proxy account and click on the ellipses button by the Proxy account field.
CmdShellProxyEnable.png
4) Set the Location to the domain, enter the proxy account name as specified on the work request, and then click OK.
CmdShellAccountSelect.png
5) Enter the password for the proxy account, and then click OK.
CmdShellProxyPassword.png
6) A credential called ##xp_cmdshell_proxy_account## is automatically created. Management Studio can now be closed.

Any non-sysadmin user that needs to use xp_cmdshell must be granted EXECUTE rights on xp_cmdshell.
If the password for a proxy needs to be changed, see Change a Proxy Account Password.

Copyright © 2012 - 2014 Edward Vassie. License and Acknowledgements
Previous SQL Server Proxy Accounts Top SQL Agent Job Proxy Accounts Next

Last edited Jun 19, 2014 at 6:17 PM by EdVassie, version 5