opc.three (4/5/2013)
The recommendation is to leave xp_cmdshell disabled. There is nothing xp_cmdshell offers beyond personal preference and familiarity that cannot be done in a more secure, auditable way, in the same or less time.
While I believe that auditing is a good thing, it doesn't actually prevent anything especially when someone undesireable gets in with administrative privs. Only proper security can help in that area.
I'll double check the OPENROWSET hack on a 64 bit 2008 system and get back to you. But you don't actually need to go to such extremes. If someone get's in as SA, it's not going to matter if you have xp_CmdShell turned off or not. 😉
Some shops have the SQL Agent service disabled in their environment.
What were they using to schedule their jobs, then?
Shifting gears a bit, you've been stressing the auditing aspect of things. What type of system auditing do you currently have setup on your machines?
--Jeff Moden
Change is inevitable... Change for the better is not.