The Command Shell

Recently I heard a few people arguing over the use of xp_cmdshell in a particular situation. One person was adamant that there was a security risk in using this feature. Many of you probably feel the same way, and even the SQL Server platform has recognized there could be dangers with this feature and has it disabled by default, as part of the secure by default installation.

However the security around this procedure has been improved over the years. Non system administrators cannot execute xp_cmdshell by default. Administrators can open up access using a proxy account, but this requires specific configuration changes by administrators. This means that a lot of the danger of using xp_cmdshell for administrative tasks has been removed.

Or has it? This Friday I wanted to poll you and find out what you think. Many of you are creative in how you use SQL Server and will think of possibilities that many of us would not consider.

Is there a security risk in allowing xp_cmdshell to be used by members of the sysadmin role?

I'm not looking for potential issues if a proxy account exists. Instead I'm asking if there are real dangers in allowing administrators to use this tool? I assume you trust your administrators and they will not maliciously use this tool to cause issues in your SQL Server. Let us know how you feel this week.

Steve Jones

The Voice of the DBA Podcasts

We publish three versions of the podcast each day for you to enjoy.

Watch the Windows Media Podcast - 13.3MB WMV
Watch the iPod Video Podcast - 16.1MB MP4
Listen to the MP3 Audio Podcast - 3.3MB MP3

Everyday Jones

The podcast feeds are available at sqlservercentral.mevio.com. You can also follow Steve Jones on Twitter:

Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com. They have a great version of Message in a Bottle if you want to check it out.

I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.

Lockdown or Let Them Free

by Steve Jones

SQLServerCentral.com

Editorial

Do we take security too far? Are we creating unnecessary rules for those that need to use the resources we support? Steve Jones talks today about security and how we might want to approach it when handling rights for developers.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

4.5 (2)

You rated this post out of 5. Change rating

2014-06-27 (first published: 2009-09-21)

218 reads

Discuss

Placing a Value on Data

by Steve Jones

SQLServerCentral.com

Editorial

What's your stolen data worth? It might be worth investigating, as Steve Jones suggests. Then you'll know how much you should be spending to protect it.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2009-08-05

66 reads

Discuss

The Danger of Algorithms

by Steve Jones

SQLServerCentral.com

Editorial

What problems occur because of the algorithm chosen to generate data? A new report says that social security numbers in the US can be predicted. Steve Jones has a few warnings about what algoriothms you choose.

★ ★ ★ ★ ★ ★ ★ ★ ★ ★

You rated this post out of 5. Change rating

2014-04-28 (first published: 2009-07-27)

326 reads

Discuss

Administering Securely

by Steve Jones

SQLServerCentral.com

Editorial

A common request is how can you secure SQL Server data and prevent the system administrator from viewing data. Steve Jones talks a little about the issue and how you can handle it.