OK, let's be honest here, bullet proof security models only are good against bullets, but if the hacker throws a grenade instead they can get through. Contrary to what I perceived to be Jeff's statement that a hacker can gain access to the command prompt if they hack the SA account I'd say untrue because they would have to log on to the server itself to access the desktop and you can disable that ability so that the SA can only access the SQL Server. You can make great strides in protecting your system and disabling xp_cmdshell is a great one if you don't need or if you can find a safer alternate method.

It's like developers who build apps and give the user account DBO access then wonder why they were so easy to hack. Duh, you left the door cracked.

All that said though is that disabling xp_cmdshell is just one of the security things you have to worry about and many companies have rigid access controls but often not data security requirements such as all credit cards and sensitive customer information has to be encrypted. Consider what happened with Zappos.com, their system security got breached but they had no data security so boom lots of customers credit cards now exposed.

All in all good security models are like Ogres. Big and scary you say? No, layers. Layer it so that the effort is more costly than the next guy they can try. xp_cmdshell is just a small part of a puzzle you need to navigate on a need by need basis.

My opinion though is avoid it unless you have no alternative and if you don't consider how to layer against it's potential effects to prevent misuse.