It is my understanding that if xp_fileexist is granted 'Public' then a normal user can use it to cause the SQL server to initiate connections to remote machines. One will have the same rights and permissions as whichever NT account is configured to start SQL server. This account is generally either an administrator or system account. In either case, a substantial risk is posed if the extended procedure is not locked down to not allow non-sa users to execute it.
Is the statement above accurate for SQL 2005? I know it was the case for previous versions. Can someone please confirm that this is still a risk with '05?
Thank you.