Category: Data Design

All about Azure Databases, Azure single database, Azure managed instance, Azure Cosmos database, Azure VM based databases

enabling / disabling xp_cmdshell

I am not getting into the discussion of pros and cons of xp_cmdshell. This command helps you to run broad level features inside your SQL server. You can run OS level commands, SSIS packages etc.

Here is how you can enable, disable and use.

To check, if xp_cmdshell is enabled and available to use;

SELECT CONVERT(INT, ISNULL(value, value_in_use)) AS config_value
FROM sys.configurations
WHERE name = 'xp_cmdshell';

Turn on xp_cmdshell

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE

Turn off xp_cmdshell

EXEC sp_configure 'show advanced options', 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 0;
RECONFIGURE

Here is a simple use case;

EXEC xp_cmdshell 'dir c:\'

Here is how you can enable it, use it and disable;

DECLARE @originalSetting INTEGER = 0;
SELECT @originalSetting = CONVERT(INT, ISNULL(value, value_in_use))
FROM  sys.configurations
WHERE  name = 'xp_cmdshell' ;
 
IF @originalSetting = 0
BEGIN
    EXEC sp_configure 'show advanced options', 1;
    RECONFIGURE;
    EXEC sp_configure 'xp_cmdshell', 1;
    RECONFIGURE;
END
 
EXEC xp_cmdshell 'dir c:\';
 
IF @originalSetting = 0
BEGIN
    EXEC sp_configure 'show advanced options', 1;
    RECONFIGURE;
    EXEC sp_configure 'xp_cmdshell', 0;
    RECONFIGURE;
END

You can create a stored procedure and use;

CREATE PROCEDURE sp_SuperCmdShell
(
    @commandToRun VARCHAR(1000)
)
AS
BEGIN
    -- check to see if xp_cmdshell is enabled, if its not
    --   then enable it and run the command then set it back
    --   to not enabled.
    DECLARE @originalSetting INTEGER = 0;
    SELECT @originalSetting = CONVERT(INT, ISNULL(value, value_in_use))
    FROM  sys.configurations
    WHERE  name = 'xp_cmdshell' ;
 
    IF @originalSetting = 0
    BEGIN
        EXEC sp_configure 'show advanced options', 1;
        RECONFIGURE;
        EXEC sp_configure 'xp_cmdshell', 1;
        RECONFIGURE;
    END
 
    EXEC xp_cmdshell @commandToRun;
 
    IF @originalSetting = 0
    BEGIN
        EXEC sp_configure 'show advanced options', 1;
        RECONFIGURE;
        EXEC sp_configure 'xp_cmdshell', 0;
        RECONFIGURE;
    END
 
END
GO
exec #sp_SuperCmdShell 'dir c:\';

This is not a new feature. It came out with early release of SQL server. If you see the usage command, they are OS level command. With the super privileged access any body can run a “format c:\” OS command and leave your database server in unrecoverable state. My suggestion would be to use it with least privileged proxy account.

Setup SSIS proxy account

If you want to run SSIS Packages from SQL Server Agent, the job might fail because of security context. Here are the steps that can help solve this problem;

Creating a credential to be used by proxy

USE MASTER
GO
--Drop the credential if it is already existing
IF EXISTS (SELECT 1 FROM sys.credentials WHERE name = N'SSISProxyCredentials')
BEGIN
DROP CREDENTIAL [SSISProxyCredentials]
END
GO
CREATE CREDENTIAL [SSISProxyCredentials]
WITH IDENTITY = N'server\ServiceProxyAll',
SECRET = N'secret'
GO

Creating a proxy account, Drop the credential if it is already existing

USE msdb
GO
--Drop the proxy if it is already existing
IF EXISTS (SELECT 1 FROM msdb.dbo.sysproxies WHERE name = N'SSISProxyDemo')
BEGIN
EXEC dbo.sp_delete_proxy
@proxy_name = N'SSISProxyDemo'
END
GO

Create a proxy and use the same credential as created above

--Create a proxy and use the same credential as created above
EXEC msdb.dbo.sp_add_proxy
@proxy_name = N'SSISProxyDemo',
@credential_name=N'SSISProxyCredentials',
@enabled=1
GO

To enable or disable you can use this command

EXEC msdb.dbo.sp_update_proxy
@proxy_name = N'SSISProxyDemo',
@enabled = 1 --@enabled = 0
GO

Granting proxy account to SQL Server Agent Sub-systems

USE msdb
GO
--You can view all the sub systems of SQL Server Agent with this command
--You can notice for SSIS Subsystem id is 11
EXEC sp_enum_sqlagent_subsystems
GO

Grant created proxy to SQL Agent subsystem, You can grant created proxy to as many as available subsystems

EXEC msdb.dbo.sp_grant_proxy_to_subsystem
@proxy_name=N'SSISProxyDemo',
@subsystem_id=11 --subsystem 11 is for SSIS as you can see in the above image
GO

View all the proxies granted to all the subsystems

EXEC dbo.sp_enum_proxy_for_subsystem

Granting proxy access to security principals

USE msdb
GO
--Grant proxy account access to security principals that could be
--either login name or fixed server role or msdb role
--Please note, Members of sysadmin server role are allowed to use any proxy
EXEC msdb.dbo.sp_grant_login_to_proxy
@proxy_name=N'SSISProxyDemo'
,@login_name=N'LABSVR01\ServiceProxyAll'
--,@fixed_server_role=N''
--,@msdb_role=N''
GO

View logins provided access to proxies

EXEC dbo.sp_enum_login_for_proxy
GO

Follow this article setting up proxy account using UI and setting up SSIS environment to use Azure Storage.

SQL Server Agent configuration to run SSIS Packages

Reference

https://www.mssqltips.com/sqlservertip/2163/running-a-ssis-package-from-sql-server-agent-using-a-proxy-account/

Login is from an untrusted domain and cannot be used with integrated authentication

if you are using this connection string in SSIS using windows authentication

Data Source=myserver;Initial Catalog=mydb; Integrated Security=SSPI;Connect Timeout=15;

You will be able to develop your package and run. When it’s get deployed to SQL Server and someone try to run the package, they will get this error.

The reason, windows computer is not joined with Active Directory.

If you still want to run your SSIS package on server, use SQL Server authentication and use this connection string;

Data Source=myserver;Initial Catalog=mydb;User Id=myuser;password=mypassword;Connect Timeout=15;

Hope this will help

How to verify SQL Server is using NTLM / Kerberos authentication

You can execute the below TSQL Query to verify authentication used by SQL Server Connections.

USE master
GO

SELECT auth_scheme FROM sys.dm_exec_connections 
WHERE session_id = @@SPID;
GO

Expected Results

SQL – When SQL Server authentication is used
NTLM – When NTLM authentication is used
KERBEROS – When KERBEROS authentication is used

Reference

How to Verify and Register SPN for SQL Server Authentication with Kerberos Connections

Azure SQL Databases

There are two core models when creating Azure SQL database as PaaS service; DTU and vCore.

DTU is a blend of CPU, Memory, Reads and Writes. A database with 5 DTU will perform better than a database with 1 DTU.

vCore is more robust and feels similar to the on-prem environments. Here you get the option of choosing the Cores.

Databases have varying requirements depending on the workload. Microsoft offers three different instance options;

Single Database deployment

The hosting option create a single database deployment, with dedicated management via an SQL Database server. Being Single, each database is fully isolated and portable across Azure platform.

Single database can also be moved in and out of “elastic pool”, allowing for better resource distribution with multiple database instances.

This instance uses DTU purchasing model for billing. A DTU is the convergence of vCores, RAM and IOPS into a standardized measure for benchmarking and billing database instances. They can be used to figure out the cost by using DTU calculator.

Single instances are best suited to businesses running applications that require a resource guarantee at the database level.

Elastic pool

An elastic pool offers a convenient, cost-effective option for maintaining multiple databases. With multiple databases, there is some unpredictability with how much computational power is needed. For this reason, pooled resources can offer better performance, and value for money.

There are four service tiers but I just looked at two; Serverless and DTU.

Serverless

The serverless compute tier for single database is an autoscaling and auto pause delay service. The cost is summation of compute and storage.

Auto pausing is trigger, if number of sessions = 0 or CPU = 0 for use workload running in the user pool. Auto resuming is triggered when a user login. Auto pausing delay could be 1 hour, max is 7 days.

This is only supported in the General-Purpose tier on Gen5 hardware in vCore purchasing model.

This tier is price-performance optimized with intermittent, unpredictable usage pattern that can afford some delay in compute warm-up after idle usage periods.

DTU (Database Transaction Units)

The most common one is a Single database option. DTU is a blend of CPU, Memory, Reads and Writes and a database having 5 DTUs will perform 5 times better than another database having just 1 DTU.. When selecting DTU, A normal conversation between Developer and IT Pro is;

Developer = I’d like a database server

IT Pro = ok, how much CPU do you need?

Developer = average…whatever the normal is

IT Pro = uh…ok, how many IOPS do you need?

Developer = what’s IOPS?

At the end, either too many or too few resources are provided and no one is happy. DTU take the metrics that determine the performance of a database and mush them together in a measure that we can use to abstract and compare performance.

What should I choose for dev/test?

We may be able to run our dev\test database on the Basic tier (5DTU $5/month) or the Standard S0 tier (10DTU $15/month), or maybe it would make more sense to put them all in a 50DTU elastic pool ($112/month). For production we’ll probably start out with a Standard S3 for our main DB and a Standard S0 or S1 for our auditing DB. Then depending on the loads scale them back or possibly put them in an Elastic Pool together.

The Basic tier is incredibly limited. It’s good for occasional/casual use, and it’s a cheap way to “park” your database when you aren’t using it. But if you’re running any real application, the Basic tier isn’t going to work for you.

The Standard Tier is pretty limited, too, but for small applications it’s capable of meeting your needs. If you have a 2-core server running a handful of databases, then those databases individually might fit into the Standard tier. Similarly, if you have a server with only one database, running 1 CPU core at 100% (or 2 cores running at 50%), it is probably just enough horsepower to tip the scale into the Premium-P1 service tier.

What is DTU? This simple way to understand DTU is;

When we build a SQL server box, we go with CPU count, some amount of RAM, storage configuration for enough IOPS for workload. When you jump to Azure, it’s call DTU. DTU is a blend of CPU, Memory, and Storage (Reads and Writes). A database with 5 DTU will perform better than a database with 1 DTU.

IOPS = Input/Output operations per second (IOPS)

Resources

https://dtucalculator.azurewebsites.net/

https://docs.microsoft.com/en-us/azure/azure-sql/database/serverless-tier-overview

DTU vs vCore in Azure SQL Database