Usage of SP_OACreate, SP_OAMethod etc.. is a security risk?

Question

I am told that usage of SP_OACreate , SP_OAMethod in SQL Server 2000 is of a security risk.

I am using Strong Name in the assembly and is stored in GAC on the SQL Server Machine.

What are the security implications/compromise ?

Answer 1

These extended stored procedures allow one to instantiate an OLE ("ActiveX") object from inside SQL Server. A typical use case creating an MSXML object and having it send some database data as an HTTP POST.

In my mind, there are two issues with the sp_OACreate etc procedures:

• Only principals in the sysadmin role can execute these by default. Granting and testing these permissions is a pain. (You have to add the user to the Master database and grant them permissions in that database.)

• The permission granted is very broad. You can't just say "ok user, you have the right to create this kind of object and do xyz with it." Instead you say "ok user, you have the right to create any OLE object you want and do anything you want." That is a pretty broad canvas.