Revoke permission to execute certain stored procedures (Advanced level) - Security Center 5.9

Security Center Hardening Guide 5.9

series
Security Center 5.9
revised_modified
2020-11-30

For security purposes, it is recommended that you revoke permission to execute some of the stored procedures that are created by default in SQL server.

The following SQL command can be used to revoke permission:
REVOKE EXECUTE ON [stored procedure] FROM public;
The command will block the public server-level role from executing stored procedures. It should be used to block the following procedures:
  • xp_availablemedia
  • xp_dirtree
  • xp_enumgroups
  • xp_fixeddrives
  • xp_regaddmultistring
  • xp_regdeletekey
  • xp_regdeletevalue
  • xp_regenumvalues
  • xp_regremovemultistring
  • xp_regread
  • xp_regwrite
  • xp_servicecontrol
  • xp_subdirs
NOTE: Some extended procedures are used by Security Center features, such as backups or health monitoring of the database sizes.
The following extended stored procedures are used by Security Center features, for items such as backups or health monitoring of database sizes:
  • xp_dirtree
  • xp_fixeddrives
  • xp_getnetname
The execute permission on these procedures should be given to the account that is used by Security Center to connect to the database. To provide this permission, use the following command:
GRANT EXECUTE ON [stored procedure] TO [Security Center principal]