I have a theory about this: it says something along the lines of 'make sure that "XP_cmdshell" uses a windows login without much privilege'. I can't remember whether this works or not against a competent attacker - I do know that it worked well enough for me, and I had some people whose job included being a competent attacker.

Of course you may want to run SQL Server under a domain admin user and make the SQL server command proxy (or whatever it is called now) a domain admin, in which case what I suggested above is utterly pointless.