Arjen Krap (4/1/2013)
So, if I understand correctly, the only use of turning off xp_cmdshell is to remind database administrators that is company policy not to use xp_cmdshell.I also read on MSDN that it is possible to disable xp_cmdshell by Policy-Based Management. Does this work effectively? Does this work effectively for the other means of executing Operating System Commands?
That's pretty much what I've been trying to get across to people. Without taking other steps, the only security it provides is a log file that says someone turned it on. For those that didn't take the other steps, it's a log about when you got hacked.
I've not tried it because I use xp_CmdShell but, from what I've seen, PBM is very good at keeping it turned off. Like I said though, if your system isn't secure, even that won't matter. People can use other methods to get to command line functionality if they get into SQL Server as an "SA".
--Jeff Moden
Change is inevitable... Change for the better is not.