SQLShark - Friday, February 17, 2017 6:13 AM
Understood. But, considering that only those with sysadmin or controlserver privs can use it or turn it on or off, what amount of security do they think that's going to provide? If a hacker gets in with sysadmin privs, it won't even be a 1ms speed bump for their attack software. If you have a bunch of people that aren't supposed to be using it but have sysadmin or controlserver privs, then you have a security problem. Have xp_CmdShell turned on isn't a security problem. If you'd like, I could send you my presentation on why xp_CmdShell isn't a security problem and what you really need to do to secure your system.
And, yeah... it actually was a compliment because most people won't allow usage of xp_CmdShell ever. It's good to see someone that understands what a valuable tool it is. It's just that enabling it to use it and disabling it when done is an unnecessary complication of code that doesn't provide any extra security.
--Jeff Moden
Change is inevitable... Change for the better is not.