Jeff Moden (4/26/2013)
opc.three (4/25/2013)
I never said a regular PowerShell session offers more security than a regular cmd shell session when not running via xp_cmdshell. I said PowerShell is more robust than cmd shell and offers more functionality.Actually, you did.
You could use tools like xp_cmdshell, the OLE Automation Procedures, Linked Servers, or other functionality built into T-SQL but you may find that in a security-conscious environment tools that access the file system or network from within T-SQL may not be sanctioned for use or will simply not be able to get the job done.
Someone sitting at a PS prompt and deleting files has no more chance of being caught than someone using any other method including xp_Cmdshell.
Not true, you're misunderstanding.
A stand-alone cmd shell prompt running on Homer's machine is not the same as a cmd ahell prompt reached via xp_cmdshell in a T-SQL session Homer is running within.
A stand-alone PowerShell prompt on Homer's machine does not offer much over a stand-alone CmdShell prompt on Homer's machine in the way of added security, only in functionality. Both shells are running as Homer, from Homer's machine IP so actions from both are subject to OS level auditing under his username -and- network level auditing under his username and IP address. When Homer accesses a cmd shell promo via xp_shell neither of those things are true.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato