Jeff Moden (4/6/2013)
WayneS (6/22/2009)
rambilla4 (6/22/2009)
Hi,We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?
That depends. Do you consider this code a threat?
exec master..xp_cmdshell 'FORMAT C:'
I know this is a wicked old thread but I have to ask... who can use that command? The answer is "Only people with SA privs" or people that the DBAs where stupid enough to grant a direct execution proxy to.
That being said and assuming that no one and no thing but the DBAs have the privs to execute xp_CmdShell, why do you think xp_CmdShell provides a security threat?
Geez Jeff, getting bored and reading threads that have been dead for years?;-)
I'm in the boat that it isn't so much of a threat if proper controls are in place. And for places where controls are lacking - audit.
There are good uses for cmdshell. They are being replaced with powershell these days - but not everybody is up to snuff on PoSH.
Jason...AKA CirqueDeSQLeil
_______________________________________________
I have given a name to my pain...MCM SQL Server, MVP
SQL RNNR
Posting Performance Based Questions - Gail Shaw[/url]
Learn Extended Events