For security purposes, it is recommended that you revoke permission to execute some of the stored procedures that are created by default in SQL server.
The following SQL command can be used to revoke permission:
REVOKE EXECUTE ON [stored procedure] FROM public;
The command will block the public server-level role from executing stored procedures. It
should be used to block the following procedures:
- xp_availablemedia
- xp_dirtree
- xp_enumgroups
- xp_fixeddrives
- xp_regaddmultistring
- xp_regdeletekey
- xp_regdeletevalue
- xp_regenumvalues
- xp_regremovemultistring
- xp_regread
- xp_regwrite
- xp_servicecontrol
- xp_subdirs
NOTE: Some extended procedures are used by Security Center features, such as backups or health
monitoring of the database sizes.
The following extended stored procedures are used by Security Center features, for items such as backups or health
monitoring of database sizes:
- xp_dirtree
- xp_fixeddrives
- xp_getnetname
The execute permission on these procedures should be given to the account that is used by
Security Center to connect to the database. To
provide this permission, use the following
command:
GRANT EXECUTE ON [stored procedure] TO [Security Center principal]