locked
xp_logininfo and Best Practice RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    All,

    Is it a good idea to grant EXEC rights on xp_logininfo to user logins and service ids? We DBAs have access to it and today we were asked to grant access to this Extended Procedure to a Login used by Tidal to run all our processes.

    My questions is from the Security perspective because it can Query the AD database. If someone can point me to a best practice document that would be great.

    Our SQLServer is SQLServer 2016.

    Thanks,

    rgn

    Saturday, February 2, 2019 12:55 AM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    Is it a good idea to grant EXEC rights on xp_logininfo to user logins and service ids? We DBAs have access to it and today we were asked to grant access to this Extended Procedure to a Login used by Tidal to run all our processes.

    The general best practice for security is to grant only the minimal permissions needed for an application to function or for people to do their jobs.

    It seems appropriate here to grant the Tidal account execute permissions on xp_logininfo. My guess is that Tidal uses that proc to validate the job execution account.

    Dan Guzman, Data Platform MVP, http://www.dbdelta.com

    • Proposed as answer by Puzzle_Chen Monday, February 4, 2019 5:16 AM
    • Marked as answer by Olaf HelperMVP Friday, September 27, 2019 1:12 PM
    Saturday, February 2, 2019 4:36 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    I'm not aware of any official 'best practice' for use of xp_logininfo extended stored proc.

    I think appropriate use is going to be driven primarily by your organizations specific security policies and requirements.

    In official documentation, you can read exactly what the proc can and cannot do:
    xp_logininfo (Transact-SQL)

    It basically just gives users access and visibility to Active Directory account information.

    Compare it's capabilities to what your security requirements are and base your decision on how to use (or not) on that.

    Hope that helps,

    Phil Streiff, MCDBA, MCITP, MCSA

    • Edited by philfactor Saturday, February 2, 2019 4:06 PM
    Saturday, February 2, 2019 4:03 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Is it a good idea to grant EXEC rights on xp_logininfo to user logins and service ids? We DBAs have access to it and today we were asked to grant access to this Extended Procedure to a Login used by Tidal to run all our processes.

    The general best practice for security is to grant only the minimal permissions needed for an application to function or for people to do their jobs.

    It seems appropriate here to grant the Tidal account execute permissions on xp_logininfo. My guess is that Tidal uses that proc to validate the job execution account.

    Dan Guzman, Data Platform MVP, http://www.dbdelta.com

    • Proposed as answer by Puzzle_Chen Monday, February 4, 2019 5:16 AM
    • Marked as answer by Olaf HelperMVP Friday, September 27, 2019 1:12 PM
    Saturday, February 2, 2019 4:36 PM