SQLRNNR (5/4/2013)
I have seen those demos as well. What I think the takeaway from them is1. Logging should be stored on a different system
2. Monitors should be in place (HIPS) to alert and prevent
3. Security team that is on top of things.
But in the end, if the hacker is good enough, then they can get in and out still. Once they get onto the server, they will get what they want. Think about it, if you have your network firewalled, zoned, routing rules in place, SQL Servers on a separate subnet with a separate firewall acl, Host Intrusion Detection and Host Intrusion Prevention systems in place - the hacker can put xp_cmdshell on the server even if you delete the dll.
Not without access to internet,
but yeah at some point, you're just screwed...
I still think you can play with the windows permissions. There's a way to forbid installing stuff, no idea what the consequences would be assuming it's possible.