opc.three (11/20/2013)
Jeff Moden (11/20/2013)
opc.three (11/19/2013)
Jeff Moden (11/5/2013)
SQLRNNR (11/5/2013)
Jeff Moden (11/5/2013)
Heh... I had to think about it. For me, the correct answer would have started with "Exec xp_CmdShell". 😀not sp_configure??
:w00t::-D
Heck no. I leave xp_CmdShell on all the time. There's no security advantage to turning it off.
Sorry, I was lead back here looking for another previous post. Your statement requires qualification Jeff.
Maybe in some environments that is true enough, obviosuly it is in your environment and fo ryou, but in general you're statement is incorrect. Having xp_cmdshell enabled reduces the overall security and auditability of an instance.
No, its not. It's just wrong for you and what you believe.
Sorry Jeff, but I must disagree with you, again. You can attempt to put this onto a belief, or you can refer to the facts. I prefer to refer to the facts.
Crud. Here we go again.
Tell me how you can stop an SA from getting to the command prompt through SQL Server? You can't.
Who are the only people that can enable xp_CmdShell? Only SAs.
Tell me the only people that can use xp_CmdShell (unless you messed up with a proxy)? Only SAs.
Can anyone other than an SA turn on xp_CmdShell? No.
Can you determine WHO turned on xp_CmdShell through through auditing? You can tell what the SPID was but there is no true conviction path to the person. You could even make a self deleting job do your dirty work for you.
It would be better if you spent more time telling people how to prevent bad guys from getting in as SA them telling them to turn off xp_Cmdshell because turning it off provides no extra security from internal people or external people that get in as SA.
--Jeff Moden
Change is inevitable... Change for the better is not.