• Arjen Krap (4/1/2013)


    So, if I understand correctly, the only use of turning off xp_cmdshell is to remind database administrators that is company policy not to use xp_cmdshell.

    I also read on MSDN that it is possible to disable xp_cmdshell by Policy-Based Management. Does this work effectively? Does this work effectively for the other means of executing Operating System Commands?

    That's pretty much what I've been trying to get across to people. Without taking other steps, the only security it provides is a log file that says someone turned it on. For those that didn't take the other steps, it's a log about when you got hacked.

    I've not tried it because I use xp_CmdShell but, from what I've seen, PBM is very good at keeping it turned off. Like I said though, if your system isn't secure, even that won't matter. People can use other methods to get to command line functionality if they get into SQL Server as an "SA".

    --Jeff Moden


    RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
    First step towards the paradigm shift of writing Set Based code:
    ________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

    Change is inevitable... Change for the better is not.


    Helpful Links:
    How to post code problems
    How to Post Performance Problems
    Create a Tally Function (fnTally)