locked
xp_instance_regread, xp_regread granted to public on SQL Server 2016 RRS feed

  • Question

  • Our security team has sent us penetration testing alerts that on all our SQL Server 2016 instances in Azure (IAAS) have execute permissions granted to public on xp_instance_regread & xp_regread.

    This is not the case on our on-prem SQL-Servers. I assume this must be the default config for SQL Server 2016? 

    If so, what problems could this cause revoking execute permissions?  Is it actually a security risk?

    Thanks,

    Tuesday, March 26, 2019 9:53 AM

All replies

  • Execute permission on registry extended stored procedure to public is dangerous as a database user can read password hash out of the registry. 

    Found the following link (quite old though) which says these extended procedures can be removed. 

    https://docs.microsoft.com/pt-br/security-updates/windowsupdateservices/18139498

    Hope this helps!



    Tuesday, March 26, 2019 9:36 PM
  • Hi Zoe.Ohara,

     

    >>If so, what problems could this cause revoking execute permissions?  Is it actually a security risk?

     

    xp_regread reads the literal registry path that you specify. xp_instance_regread "converts" the path you specify so that it matches the instance of SQL Server that you're currently using.

     

    If SQL is running under an account which is a member of the local Administrators group then yes someone could read registry keys which they shouldn’t have access to. But there also shouldn’t be anything all that sensitive written to the registry on a production SQL Server. SQL puts basically nothing in there other than a few startup parameters and there shouldn’t be really anything else installed on the system. Anything sensitive that Windows writes to the registry is going to be encrypted.

     

    if users don’t have access to run xp_instance_regread for example they won’t be able to use SSMS as they’ll get an error when they connect to the instance. So to make the error go away you now have to grant the EXECUTE right to xp_instance_regread for every user that connects to the database engine with SSMS (which is probably most of them). This means that removing it from public was meaningless as it’s still granted to everyone that connects, just via their login.

     

    Hope this could help you .

    Best regards,

    Dedmon Dai


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com

    Wednesday, March 27, 2019 5:47 AM