WayneS (6/22/2009)
rambilla4 (6/22/2009)
Hi,We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?
That depends. Do you consider this code a threat?
exec master..xp_cmdshell 'FORMAT C:'
I know this is a wicked old thread but I have to ask... who can use that command? The answer is "Only people with SA privs" or people that the DBAs where stupid enough to grant a direct execution proxy to.
That being said and assuming that no one and no thing but the DBAs have the privs to execute xp_CmdShell, why do you think xp_CmdShell provides a security threat?
--Jeff Moden
Change is inevitable... Change for the better is not.