That's spot on with what I was finding. Thank you very much for the confirmation.

I'm not sure that's true. An "SA" could manipulate the logs or even avoid the logs by creating a self deleting job that uses CmdExec. It may not be xp_CmdShell but it does get you in with some pretty elevated privs.

The truth is, I'm not so worried about folks on the inside. They have to go through a pretty rigorous background check. Hackers aren't going to login as themselves. They're going to login as someone else (perhaps even as "SA"), get what they need, delete parts of the log (saw it done in a recent hacker demo. The guy was good and his software was even better), and be out with no one the wiser. He even showed us how to reinstate the xp_CmdShell extended stored procedure (2 different ways and said there was more) if someone deleted it.

After the demo I saw, turning off xp_CmdShell seems to be like trying to put out a 4 cord bonfire by spitting on it. 😛 That's what led me to ask the question if PBM or any other tool could prevent someone with "SA" privs from using xp_CmdShell. It looks like the ONLY way to keep a hacker from using it is to not let them in as "SA". Of course, that's the real goal but was looking for that extra "layer of protection" that some folks think they get just by turning it off. Post mortum logs just don't get it for me.

Anyway, thank you again for your time. I really appreciate it.