• Michael L John (3/21/2013)


    I stand corrected.

    BUT I also stand by the statement because unfortunately poor security seems to be the norm. It seems as if DBA's are so busy with everything else that security is overlooked.

    I will amend the statement to be:

    "xp_cmdshell CAN be a security risk"

    Nope, you had it right the first time!

    Leaving xp_cmdshell enabled exposes the system to the option for people in the sysadmin Role to access the server's file system using someone else's credential, namely the SQL Server service account. That leaves a gaping hole in the auditability of a system, which for me constitutes a security exposure and a threat to the system.

    I would leave xp_cmdshell disabled and put up every roadblock and auditing option (e.g. Policy Based Management) to keep it disabled, and log attempts to enable it. It's just not worth it. There are so many better options out there than to allow cmd-shell and file system access through your database engine.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato