Home Forums SQL Server 2008 SQL Server 2008 Administration x-cmdShell access RE: x-cmdShell access

  • September 19, 2012 at 9:17 am

    #1539627

    opc.three (9/4/2012)

    Jeff Moden (9/4/2012)

    opc.three (9/4/2012)

    All sysadmins can execute any commands they wish and those commands will run in the context of the SQL Server service account, i.e. you lose the ability to audit who did what.

    Consider that all sysadmins can turn on xp_CmdShell at the drop of a hat. 😉

    True, but there is an audit trail associated with that, namely an entry into the SQL Server Error Log is made noting that a system configuration was changed. You can also block this through Policy Management, which can be circumvented as well, but it adds an additional barrier. You're assuming all sysadmins are trusted, which is risky. Any barriers that can be placed in the way of a malicious user the better. Having xp_cmdshell enabled is just one more exposure that is better left disabled (IMHO).

    Locked doors only keep honest people out.

    If you have the privledges and the will to do something you shouldn't there isn't much to stop you.