April 8, 2013 at 9:30 pm
opc.three (3/26/2013)
I absolutely do recommend alternatives to xp_cmdshell, namely PowerShell, SSIS, .NET, anything but xp_cmdshell.
I'm desperately want to know what kind of damage to the system can be done with xp_cmdshell but cannot be done with SSIS.
Considering same kind of security environment.
Someone was talking about clowns here....
_____________
Code for TallyGenerator
April 8, 2013 at 10:08 pm
opc.three (3/26/2013)
This from a guy that argues about the optimizer with Paul White...get a clue troll.
Who is Paul White?
The bearer of the ultimate knowledge?
Your local shiny little god?
/* Everyone, this has nothing to do with Paul White himself either personally or professionally */
Sorry to ruin your perfect universe - he is not.
He's just a person who happened to know something about mechanics od SQL, and that something is more than most of other users of this forum know about SQL Server.
Good for him. It earns a well deserved respect for him amongst the community. Well deserved.
But he still can be wrong.
And you witnessed him walking away from the discussion when I proved he's wrong.
Right here: http://www.sqlservercentral.com/Forums/FindPost1340341.aspx
Well, nobody is perfect. So what?
Take a tip.
Instead of soaking up whatever you pathetic local gods utter learn how to study matters, how to analize cases and get to proven conclusions.
When you've got it you'll be able to get some clue about how things actually work.
And then your opinion may be worth a penny or two.
But so far - you're a silly parrot looking at the mouths of you pathetic gods and mindlessly repeating whatever they say.
Well, silly parrots have their place too.
Good enough for some...
_____________
Code for TallyGenerator
April 8, 2013 at 10:13 pm
Yep, I remember that thread well...it's not the leaf level of the index that becomes fragmented, it's the mid-level pages because the clustering key is stored there. You were wrong then and you're wrong now. I guess you were not worth the time to respond. I am not sure why I am bothering at all with you.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
April 8, 2013 at 10:32 pm
Jeff Moden (3/27/2013)
Or, you could do what I've done. Work with the "team" to properly lock down the system and then use all of those tools as they were intended to be used.
Jeff,
I think the use of word "properly" is totally inappropriate here.
Disabling xp_cmdshell does not lock anything down at all.
So the system needs to be locked down somehow.
The biggest danger of having xp_cmdshell disabled (absolutely agree with you on this) is in letting inexperienced admins to feel that the security hole is patched.
So they do not need to work on resolving security issues in the server(s) environment.
In fact, anyone with SA privileges can access cmd shell regardless of the xp_cmdshell state.
Any moment they like.
And in totally undetectable manner (if they wish).
The door might look locked, but the key is in the keyhole, and there is no surveillance in place.
So it's much better to have it enabled and on every team meeting stress the necessity to properly configure access privileges of the account starting SQL Server.
When they see the door is open they (for some reason) much more attentive to what's behind the door than when it seems to be closed.
_____________
Code for TallyGenerator
April 8, 2013 at 10:39 pm
opc.three (4/8/2013)
Yep, I remember that thread well...it's not the leaf level of the index that becomes fragmented, it's the mid-level pages because the clustering key is stored there. You were wrong then and you're wrong now. I guess you were not worth the time to respond. I am not sure why I am bothering at all with you.
Blah, blah, blah.
Whatever.
Scripts, Change Control, leaf level - what other words did you hear from your shiny gods?
_____________
Code for TallyGenerator
April 8, 2013 at 10:58 pm
Sergiy (4/8/2013)
opc.three (4/8/2013)
Yep, I remember that thread well...it's not the leaf level of the index that becomes fragmented, it's the mid-level pages because the clustering key is stored there. You were wrong then and you're wrong now. I guess you were not worth the time to respond. I am not sure why I am bothering at all with you.Blah, blah, blah.
Whatever.
Scripts, Change Control, leaf level - what other words did you hear from your shiny gods?
Really? That is what you came back with? I have been doing this a long time my friend. Do I read a lot of what the "shiny gods" produce, yes, some of them hang out on this site including Jeff. Do I work in the field a lot, yes. Do I take other people's mistakes into account before making a choice so I can avoid them, yes, all of the above. I am not sure what to even make of your shiny gods comment other than to dismiss it as you not having much else of use to respond with.
However, giving credit where credit is due, your post previous to this one was insightful and added to the conversation. So personally I will thank you for that. This last one though...not your best effort, Sergiy.
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
April 14, 2013 at 9:49 pm
Sergiy (4/8/2013)
Jeff Moden (3/27/2013)
Or, you could do what I've done. Work with the "team" to properly lock down the system and then use all of those tools as they were intended to be used.Jeff,
I think the use of word "properly" is totally inappropriate here.
Disabling xp_cmdshell does not lock anything down at all.
So the system needs to be locked down somehow.
The biggest danger of having xp_cmdshell disabled (absolutely agree with you on this) is in letting inexperienced admins to feel that the security hole is patched.
So they do not need to work on resolving security issues in the server(s) environment.
In fact, anyone with SA privileges can access cmd shell regardless of the xp_cmdshell state.
Any moment they like.
And in totally undetectable manner (if they wish).
The door might look locked, but the key is in the keyhole, and there is no surveillance in place.
So it's much better to have it enabled and on every team meeting stress the necessity to properly configure access privileges of the account starting SQL Server.
When they see the door is open they (for some reason) much more attentive to what's behind the door than when it seems to be closed.
Sorry... not sure how I missed this reply. I agree 100% and it's what I've been stressing almost word for word. It's nice to see that I'm not the only person in the world that thinks this way. Thanks, Sergiy.
--Jeff Moden
Change is inevitable... Change for the better is not.
Viewing 7 posts - 91 through 96 (of 96 total)
You must be logged in to reply to this topic. Login to reply