Someone please tell me why this is considered insecure:
A stored procedure that, out of the box, is disabled and has no explicit rights granted (or denied) is locked down to everyone but those in the sysadmin server role.
If someone exploits your SQL Server via xp_cmdshell, its because you LET them, either by granting permissions or by putting someone in sysadmin that clearly should not have been there.
Told you it was a quickie 🙂
Thanks for reading!
Jeff Moden says
Old post I know but to add to that, if someone breaks in without sysadmin or control server privs, can they use xp_cmdshell? No… they can’t even turn it on and, if they could, they still wouldn’t have the privs to use it.
On the other hand, if they do break in with such privs, will having it turned off prevent them from using it? No… because they’ll also have the privs to turn it on.
And, it’s not xp_CmdShell that’s dangerous… it’s allowing unqualified people to use it that’s dangerous. In that vein, it’s super simple to create stored procedures that use it (and things like TRUNCATE, which is also dangerous in the hands of unqualified people) that have been tested and approved that low prived users can execute but can’t even see what’s in the proc and cannot change it AND they don’t have privs to use it directly.
The reason why xp_CmdShell is “dangerous” is because it’s an extremely powerful and useful tool. It’s like a rotor-tiller… in the wrong hands, it’s dangerous to all of your flower beds, your lawn, the surface roots of your trees, your cats, and your feet… in the correct hands, it’s like having a whole garden team working on your yard.
Turn it on and use it safely and correctly. It might even make you pay more attention to security, which is what you should really be worried about. xp_CmdShell is not a risk… a lack of security is and having it turned off does NOTHING to mitigate that risk. And consider all the wieners you’ve given privs to run Powershell and Python to. 😉
Jeff Moden says
In other words, I agree with the title of this post! 😀
Wow…this post pre-dates the existence of Dallas DBAs!