Xp_cmdshell – the most dangerous extended stored procedure on the planet

16 February,2015 by Jack Vamvas

Xp_cmdshell is possibly the most dangerous extended stored procedure on the planet. I’ve seen some serious impact on a combination of xp_cmshell enabled and sysadmin rights.  The main reason for it’s dangerous image is xp_cmdshell allows shell scripts to  execute on OS.

My general rule is to not allow non DBAs xp_cmdshell  direct access. If a user requests  xp_cmdshell with a valid and pragmatic reason, then I’ll set up a stored procedure – allowing them to run only xp_cmdshell through this stored procedures. Think about adding a check on input parameters to this managed store procedure

Xp_cmdshell

There are valid reasons for granting a user xp_cmdshell.  A review is essential. Some risk analysis should be implemented , weighing the security risks and benefits associated with granting xp_cmdshell privileges to a login

Different methods of granting xp_cmshell permissions

  1. Grant sysadmin to the login account
  2. It is also possible to grant a user xp_cmdshell usage by granting EXECUTE permissions to the login on the stored procedure xp_cmdshell

How to check if xp_cmdshell is enabled

 

SELECT CONVERT(INT, ISNULL(value, value_in_use)) AS config_value
FROM  sys.configurations  WHERE  name = 'xp_cmdshell' ;

Read More on Security Risk Analysis

How to create a SQL Server Security Audit

SQL Server Security Policy

 


Author: Jack Vamvas (http://www.sqlserver-dba.com)


Share:

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment on Xp_cmdshell – the most dangerous extended stored procedure on the planet


sqlserver-dba.com | SQL Server Performance Tuning | SQL Server DBA:Everything | FAQ | Contact|Copyright & Disclaimer