dbTalk Databases Forums  

Which is more secure?

Go Back dbTalk Databases Forums Databases microsoft.public.sqlserver.dts Which is more secure?

microsoft.public.sqlserver.dts microsoft.public.sqlserver.dts


Discuss Which is more secure? in the microsoft.public.sqlserver.dts forum.



Reply
 
Thread Tools Display Modes
  #1  
Old   
Raymond Lewallen
 
Posts: n/a

Default Which is more secure? - 10-21-2004 , 08:02 AM





If from a DTS package, you need to combine 2 files to make one, which is the
better, more secure way to do it from the following 3 methods, and why?

1) Have an Sql Task that performs the following:
exec master.dbo.xp_cmdshell 'copy c:\temp\file1.dat+c:\temp\file2.dat
c:\temp\final.dat', NO_OUTPUT

Or

2) Have a copy.bat that contains 'copy c:\temp\file1.dat+c:\temp\file2.dat
c:\temp\final.dat' and execute it as a Win32 process in an Execute Process
Task

Or

3) Have VBScript in an ActiveX Script Task that contains the following?

' Read input files
InputFile1 = "c:\temp\file1.dat"
InputFile2 = "c:\temp\file2.dat"
OutputFile = "c:\temp\final.dat"
str_InputFile1 = ReadTextFile(InputFile1)
str_InputFile2 = ReadTextFile(InputFile2)

str_Output = str_InputFile1 & vbcrlf & vbcrlf & str_InputFile2
str_Output = str_Output & vbcrlf & vbcrlf

' Write output file
WriteToFile OutputFile,str_Output

End Function

' Functions
Function WriteToFile( str_FileName, str_Message )
Set obj_FSO = CreateObject("Scripting.FileSystemObject")

Set obj_OutputFile = obj_FSO.OpenTextFile(str_FileName, 2, True, 0)
obj_OutputFile.WriteLine(str_Message)
obj_OutputFile.Close
Set obj_OutputFile = Nothing
Set obj_FSO = Nothing
End Function

Function ReadTextFile( str_FileName )

Set obj_FSO = CreateObject("Scripting.FileSystemObject")
Set obj_InputFile = obj_FSO.GetFile(str_FileName)
Set obj_TextStream = obj_InputFile.OpenAsTextStream(1, TristateFalse)
str_Text = obj_TextStream.ReadAll
Set obj_InputFile = Nothing
Set obj_FSO = Nothing
ReadTextFile = str_Text

--

Raymond Lewallen



Reply With Quote
  #2  
Old   
Bonj
 
Posts: n/a

Default RE: Which is more secure? - 10-21-2004 , 10:17 AM





It would depend on who has access to the DTS to change / execute it, and on
what computer it runs on.
But, I'd say that using xp_cmdshell requires you to be a member of the
sysadmin role, so the account that executes this (successfully) can do
anything they want on the server. So it wouldn't be a good idea to run this
under the account of semi-trusted personnel.


"Raymond Lewallen" wrote:

Quote:
If from a DTS package, you need to combine 2 files to make one, which is the
better, more secure way to do it from the following 3 methods, and why?

1) Have an Sql Task that performs the following:
exec master.dbo.xp_cmdshell 'copy c:\temp\file1.dat+c:\temp\file2.dat
c:\temp\final.dat', NO_OUTPUT

Or

2) Have a copy.bat that contains 'copy c:\temp\file1.dat+c:\temp\file2.dat
c:\temp\final.dat' and execute it as a Win32 process in an Execute Process
Task

Or

3) Have VBScript in an ActiveX Script Task that contains the following?

' Read input files
InputFile1 = "c:\temp\file1.dat"
InputFile2 = "c:\temp\file2.dat"
OutputFile = "c:\temp\final.dat"
str_InputFile1 = ReadTextFile(InputFile1)
str_InputFile2 = ReadTextFile(InputFile2)

str_Output = str_InputFile1 & vbcrlf & vbcrlf & str_InputFile2
str_Output = str_Output & vbcrlf & vbcrlf

' Write output file
WriteToFile OutputFile,str_Output

End Function

' Functions
Function WriteToFile( str_FileName, str_Message )
Set obj_FSO = CreateObject("Scripting.FileSystemObject")

Set obj_OutputFile = obj_FSO.OpenTextFile(str_FileName, 2, True, 0)
obj_OutputFile.WriteLine(str_Message)
obj_OutputFile.Close
Set obj_OutputFile = Nothing
Set obj_FSO = Nothing
End Function

Function ReadTextFile( str_FileName )

Set obj_FSO = CreateObject("Scripting.FileSystemObject")
Set obj_InputFile = obj_FSO.GetFile(str_FileName)
Set obj_TextStream = obj_InputFile.OpenAsTextStream(1, TristateFalse)
str_Text = obj_TextStream.ReadAll
Set obj_InputFile = Nothing
Set obj_FSO = Nothing
ReadTextFile = str_Text

--

Raymond Lewallen

Reply With Quote
  #3  
Old   
Raymond Lewallen
 
Posts: n/a

Default Re: Which is more secure? - 10-21-2004 , 12:08 PM


Quote:
It would depend on who has access to the DTS to change / execute it, and
on
what computer it runs on.
The package is owned by a sql account with no assigned server roles, and has
a public role in the database in which the task has a connection to. The
package executes via a scheduled job, in which a windows user account with
access to the directories to read/write the files, is the same account the
Sql Server Agent service is running under.

Quote:
But, I'd say that using xp_cmdshell requires you to be a member of the
sysadmin role, so the account that executes this (successfully) can do
anything they want on the server.
A non-sysadmin user can execute xp_cmdshell by impersonating the Sql Server
Agent Proxy account specified for the server.

--
Raymond Lewallen




Reply With Quote
Reply

« Previous Thread | Next Thread »



Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Powered by vBulletin Version 3.5.3
Copyright ©2000 - 2012, Jelsoft Enterprises Ltd.


Contact Us - dbTalk Databases Forums - Archive - Top