Home Forums SQL Server 2008 T-SQL (SS2K8) How to call a batch file to execute from an SP RE: How to call a batch file to execute from an SP

  • March 24, 2013 at 8:17 pm

    #1600157

    Sergiy (3/24/2013)

    opc.three (3/24/2013)

    The fact is that a system with xp_cmdshell disabled has less security exposures, has less vulnerabilities and is more auditable than a system where it is enabled.

    OK.

    I'm an intruder on your system.

    If I'm connected using non-systemadmin credentials I cannot execute any call to xp_cmdshell anyway, and I cannot get privileges associated with it.

    So, it does not really matter if it's disabled or enabled - I won't be able even to figure out that.

    Now, if I'm connected as a systemadmin. First thing I will do is

    EXEC sp_configure 'xp_cmdshell', 1

    Immediately followed by

    RECONFIGURE WITH OVERRIDE

    Voilà!

    xp_cmdshell is enabled, no matter what state it was 3 ms ago.

    So, where those promissed "less security exposures, has less vulnerabilities"?

    You're still hung up on external scenarios.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato