Home Forums SQL Server 2005 Administering Is xp_cmdshell Security threat??? RE: Is xp_cmdshell Security threat???

  • April 6, 2013 at 12:48 pm

    #1604233

    Jeff Moden (4/6/2013)

    WayneS (6/22/2009)

    rambilla4 (6/22/2009)

    Hi,

    We are using xp-cmdshell for deleting old backups. But I heard that xp_cmdshell is a big security threat for SQL Server. Is it true?

    That depends. Do you consider this code a threat?

    exec master..xp_cmdshell 'FORMAT C:'

    I know this is a wicked old thread but I have to ask... who can use that command? The answer is "Only people with SA privs" or people that the DBAs where stupid enough to grant a direct execution proxy to.

    That being said and assuming that no one and no thing but the DBAs have the privs to execute xp_CmdShell, why do you think xp_CmdShell provides a security threat?

    Geez Jeff, getting bored and reading threads that have been dead for years?;-)

    I'm in the boat that it isn't so much of a threat if proper controls are in place. And for places where controls are lacking - audit.

    There are good uses for cmdshell. They are being replaced with powershell these days - but not everybody is up to snuff on PoSH.

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events