opc.three (4/26/2013) Sergiy (4/26/2013)
A stand-alone PowerShell prompt on Homer's machine does not offer much over a stand-alone CmdShell prompt on Homer's machine in the way of added security, only in functionality. Both shells are running as Homer, from Homer's machine IP so actions from both are subject to OS level auditing under his username -and- network level auditing under his username and IP address. When Homer accesses a cmd shell promo via xp_shell neither of those things are true.
When Homer accesses a cmd shell promo via xp_shell - nothing happens.
Unless Homer is given SA privileges.
And if Homer is given same kind of privileges on the Windows domain - "neither of those things are true".
He can do whotever he wants from whereever he wants, remotely accessing any server/desktop around with a little chance of being caught.
Get your security within SQL Server right, at least at the same level as within Windows domains - and all your imaginary hazards of xp_cmdshell will go away.
You (and Jeff) are so wrong about this it's not even worth discussing anymore because it's clear you will not see the point.
Nope. Not wrong, Orlando. I just believe differently than you and a whole lot of other people. It's equally clear that you don't see my point and that's Ok. Differences in opinion spark conversation and innovation.
Also understand that Sergiy is not calling you stupid and he's not calling you a cowboy. He called MS stupid and said that cowboy developers (meaning those folks that typically ignore everything except getting something off their plate) would ignore any and all security scaffolding. And when he said "get your security right", he's not talking about you personally... he's talking about anyone and everyone getting their security right and, despite our differences, that's all 3 of our goals. These are not personal attacks. Short, brusk, and maybe even brutally to the point (English is not his native language so he tends to be short), but they're not personal attacks on you.
As for relying "too" heavily on one area of a system, doctors do it all the time. They're called "specialists" because they're really, really good at what they do. I don't see how the use of one very flexible tool paints you in a corner while the use of another very flexible tool does not.
is pronounced ree-bar and is a Modenism for R
First step towards the paradigm shift of writing Set Based code: Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column.
If you think its expensive to hire a professional to do the job, wait until you hire an amateur. -- Red Adair
How to post code problemsHow to post performance problemsForum FAQs