opc.three (4/8/2013)
If your argument is "someone in the sysadmin Role can take down the system so why bother running a system with xp_cmdshell disabled" then I think you are completely missing the point and are only focusing on one aspect of the discussion.
Gosh. I thought you were going to quit. 🙂
The big point that I've been trying to make is that simply disabling xp_CmdShell offers only a thin veil of auditability and does not act as any kind of an obstacle to a would-be attacker or mischievous user, either internally or externally, if that person has SA privs.
--Jeff Moden
Change is inevitable... Change for the better is not.