Revoke permission to execute certain stored procedures (Advanced) - Security Center 5.11

Security Center Hardening Guide 5.11

Product
Security Center
Content type
Guides > Administrator guides
Version
5.11
Language
English
Last updated
2023-03-13

For security purposes, it is recommended that you revoke permission to execute some of the stored procedures that are created by default in SQL server.

The following SQL command can be used to revoke permission:
Code
REVOKE EXECUTE ON [stored procedure] FROM public;
The command will block the public server-level role from executing stored procedures. It should be used to block the following procedures:
  • xp_availablemedia
  • xp_dirtree
  • xp_enumgroups
  • xp_fixeddrives
  • xp_regaddmultistring
  • xp_regdeletekey
  • xp_regdeletevalue
  • xp_regenumvalues
  • xp_regremovemultistring
  • xp_regread
  • xp_regwrite
  • xp_servicecontrol
  • xp_subdirs
NOTE: Some extended procedures are used by Security Center features, such as backups or health monitoring of the database sizes.
The following extended stored procedures are used by Security Center features, for items such as backups or health monitoring of database sizes:
  • xp_dirtree
  • xp_fixeddrives
  • xp_getnetname
The execute permission on these procedures should be given to the account that is used by Security Center to connect to the database. To provide this permission, use the following command:
Code
GRANT EXECUTE ON [stored procedure] TO [Security Center principal]