• opc.three (3/26/2013)


    Securing SQL Server by Denny Cherry:

    - page 153 recommends to "disable xp_cmdshell"

    - page 161 recommends "removing the extended stored proc xp_cmdshell" but goes on to say that (paraphrased) "you may need to add them back before doing system upgrades and they can be re-added by a crafty attacker with the right level of permissions and knowledge of the system"

    OK, another one fallen into the same misconception.

    Not really surprising.

    Jeff pointed out that it's a very common one.

    Denny left the back door open for him to escape though.

    Still not sure that knowing how to use "sp_configure" makes you some kind of crafty one. 1 minute on BOL - and you've got everything you need.

    Or 30 seconds on Google, if you're short of time.

    And "right level of permissions" is exactly the same one which required to use xp_cmdshell. If it's not given - there is no problem at all.

    Another example of a widely published error - BOL for several years was referring to a wrong concept regarding @table and #table.

    So what?

    Thay had to fix it eventually.

    What about this one?

    http://www.galileowaswrong.com/galileowaswrong/

    _____________
    Code for TallyGenerator