Default Stored Procedures

After a recent audit on our SQL servers, it was
recommended that we remove the following default
procedures where possible. I have not seen any security
checklists on removing these procedures. Should I remove
these if they are not needed? How are they removed? Thanks
for your help.
Xp_CmdShell
Sp_OACreate
Sp_OADestroy
Sp_OAGetErrorInfo
Sp_OAGetProperty
Sp_OAMethod
Sp_OASetProperty
Sp_OAStop
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwriteMost of the extended stored procedures you listed above are considered dange
rous and could leave your installation and server prone to attack. You can
drop” extended stored procedures with the sp_DropExtendedProc system sto
red procedure and then actu
ally deleting the dll from the server.
Try reading SQL Server Security by Chip Andrews, David Litchfield, and bill
Grindlay (Osborne Press) Chapter 9 and Appendix A
Randy Dyess
www.Database-Security.Info|||There is no official Microsoft guidance on the removal of these stored
procedures. If you decide to remove these stored procedures, then you
should verify in a test environment prior to attempting this on a
production machine.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.