Jeff Moden (7/31/2015)
Please see (attached) the presentation I did just one time where I explain how to do all of this. Most of it is to help dispel some of the FUD around the tool. I do, however, explain how to properly set it up and use it safely near the end.
I saw that presentation in Kalamazoo and it was great.
I use xp_cmdshell when needed by others by creating stored procedures that do what they need to do with execute as owner. I then grant execute permissions to the people that need to use it. I don't grant anyone permission to use xp_cmdshell directly.
Then again, getting to the heart of the security matter...my "sa" account is disabled as it should be.