RE: Check if xp_cmdshell is turned on and flip the bit

SSC Guru

Points: 1003863

February 17, 2017 at 8:21 am

#1929132

SQLShark - Friday, February 17, 2017 6:13 AM
Jeff, in our environment it is a security violation to leave this turned on. So we flip it on to use the functionality and then flip it off when done. I automated a DR restore and once each db is restored it is copied to a archive directory and the house keeping is performed form there. Not as painful automated. Thanks for the compliment ! Ed

Understood. But, considering that only those with sysadmin or controlserver privs can use it or turn it on or off, what amount of security do they think that's going to provide? If a hacker gets in with sysadmin privs, it won't even be a 1ms speed bump for their attack software. If you have a bunch of people that aren't supposed to be using it but have sysadmin or controlserver privs, then you have a security problem. Have xp_CmdShell turned on isn't a security problem. If you'd like, I could send you my presentation on why xp_CmdShell isn't a security problem and what you really need to do to secure your system.

And, yeah... it actually was a compliment because most people won't allow usage of xp_CmdShell ever. It's good to see someone that understands what a valuable tool it is. It's just that enabling it to use it and disabling it when done is an unnecessary complication of code that doesn't provide any extra security.

--Jeff Moden

RBAR is pronounced "ree-bar" and is a "Modenism" for Row-By-Agonizing-Row.
First step towards the paradigm shift of writing Set Based code:
________Stop thinking about what you want to do to a ROW... think, instead, of what you want to do to a COLUMN.

Change is inevitable... Change for the better is not.

Helpful Links:
How to post code problems
How to Post Performance Problems
Create a Tally Function (fnTally)