Home Forums SQL Server 2008 Security (SS2K8) How to prevent ANY use of xp_CmdShell? RE: How to prevent ANY use of xp_CmdShell?

  • June 15, 2013 at 10:21 am

    #1624365

    Jeff Moden (6/15/2013)

    My reference to "More costly" is because, if you install it on a different box, you have the cost of the different box and licensing changes (IIRC). If you install it on the same box, then the "cost" is contention with the main database. Either way, you have a different "system" to maintain.

    As to documentation, there's tons of documentation for xp_CmdShell in the same place that there is for PowerShell... on the internet.

    ALL of our conversations have been both subjective and highly preferential. 😉 There's nothing wrong with that.

    You might see it that way, but that's not surprising. There are real security and auditing vulnerabilities introduced when xp_cmdshell is enabled and sanctioned for use within an environment. That's a fact.

    The most important thing that I want people to know is that, whether you use xp_CmdShell or not, just disabling it will not prevent any attacker from using it nor, in its absence, will it prevent an attacker from getting to the command prompt with elevated privs. Just because the 15 year old hack using OPENROWSET might not work anymore (and I still haven't tested that to be sure, but will), doesn't mean that a dedicated hacker (and they are VERY didicated) can't come up with another method if they can get into the server as "SA". THAT's what must be done... you MUST prevent unauthorized people from getting in as "SA". Anything less is nothing more than a futile effort.

    False. There are inherent risks in having it enabled and sanctioning its use, as opposed to putting as many barriers in between it and a malicious user. Like I said, and showed, detecting the starting of a cmd shell is possible at the Windows level. If you're clinging to the idea that because you can't block it from being enabled in SQL Server as a reason to use it, give it up.

    And don't ever send me a foul 4 letter word PM like you recently did. You complained about Sergiy being rude. Try to follow your own advice.

    One good turn deserves another Jeff. You started this one.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato