Home Forums SQL Server 2008 T-SQL (SS2K8) How to call a batch file to execute from an SP RE: How to call a batch file to execute from an SP

  • March 26, 2013 at 10:51 pm

    #1601024

    Jeff, you're a gentleman and a scholar, and it distresses me that much more that I cannot make my point clearly. You have seen countless of my posts. I absolutely do recommend alternatives to xp_cmdshell, namely PowerShell, SSIS, .NET, anything but xp_cmdshell. One more item to clear up, I absolutely alert folks to keep control of their list of sysadmin members, but again that's only one part if the story.

    I think you are ignoring a significant point which is that security must be layered throughout an environment. Leaving xp_cmdshell enabled, and not protecting a change in its configuration with PBM and possibly even removing the xsp altogether depending on what else the system is tasked with doing, is leaving an available layer out of the mix. If you say that an extremely skilled DBA can get around those roadblocks in a short amount of time and therefore it is not worth adding them, that's apathy in my opinion and does not make for a security strategy. Consider that things don't always go the way you want them to. What if there is an AD group that is in the sysadmin Role because that's how the Enterprise does things and you do not always know or have control over the people who are in the sysadmin Role. It happens. You know what else happens, people leave passwords unprotected in notebooks, whiteboards and other places like in the comments of a website page served publicly.

    It takes no time at all to add some additional roadblocks in an "instance setup" script that can have a net positive effect on the security of your data. You are a reasonable person, will you not concede that taking those steps would improve security of the data and improve auditability of the environment, however miniscule you think the improvement might be? I am saying that enabling xp_cmdshell has a negative net effect on security and taking these steps I mentioned has a positive net effect, so there really is no choice. xp_cmdshell has no place in an environment. Yes, there are other areas of weakness in an environment, but why put out a welcome mat?

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato