For enhanced security, revoke permissions to execute certain default stored procedures in SQL Server, reducing potential vulnerabilities and ensuring tighter control over database operations.
The following SQL command can be used to revoke permission:
REVOKE EXECUTE ON [stored procedure] FROM public;This command blocks the public server-level role from executing stored procedures. It should
be used to block the following procedures:
- xp_availablemedia
- xp_dirtree
- xp_enumgroups
- xp_fixeddrives
- xp_regaddmultistring
- xp_regdeletekey
- xp_regdeletevalue
- xp_regenumvalues
- xp_regremovemultistring
- xp_regread
- xp_regwrite
- xp_servicecontrol
- xp_subdirs
NOTE: Some extended procedures are used by Security Center features, such as backups or health
monitoring of the database sizes.
The following extended stored procedures are used by Security Center features, for items such as backups or health
monitoring of database sizes:
- xp_dirtree
- xp_fixeddrives
- xp_getnetname
The
EXECUTE permission on these procedures should be given to the account
that is used by Security Center to connect to the database. To provide this permission, use
the following
command:GRANT EXECUTE ON [stored procedure] TO [Security Center principal]